Red Hat Enterprise Linux 6 6.2 Technical Notes

Transcription

Red Hat Enterprise Linux 6
6.2 Technical Notes
Detailed notes on the changes implemented in Red Hat Enterprise Linux
6.2
Edition 2
Red Hat Engineering Content Services
Red Hat Enterprise Linux 6 6.2 Technical Notes
Detailed notes on the changes implemented in Red Hat Enterprise Linux
6.2
Edition 2
Red Hat Engineering Co ntent Services
Legal Notice
Co pyright © 20 11 Red Hat, Inc.
This do cument is licensed by Red Hat under the Creative Co mmo ns Attributio n-ShareAlike 3.0
Unpo rted License. If yo u distribute this do cument, o r a mo dified versio n o f it, yo u must pro vide
attributio n to Red Hat, Inc. and pro vide a link to the o riginal. If the do cument is mo dified, all Red
Hat trademarks must be remo ved.
Red Hat, as the licenso r o f this do cument, waives the right to enfo rce, and agrees no t to assert,
Sectio n 4 d o f CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shado wman lo go , JBo ss, MetaMatrix, Fedo ra, the Infinity
Lo go , and RHCE are trademarks o f Red Hat, Inc., registered in the United States and o ther
co untries.
Linux ® is the registered trademark o f Linus To rvalds in the United States and o ther co untries.
Java ® is a registered trademark o f Oracle and/o r its affiliates.
XFS ® is a trademark o f Silico n Graphics Internatio nal Co rp. o r its subsidiaries in the United
States and/o r o ther co untries.
MySQL ® is a registered trademark o f MySQL AB in the United States, the Euro pean Unio n and
o ther co untries.
No de.js ® is an o fficial trademark o f Jo yent. Red Hat So ftware Co llectio ns is no t fo rmally
related to o r endo rsed by the o fficial Jo yent No de.js o pen so urce o r co mmercial pro ject.
The OpenStack ® Wo rd Mark and OpenStack Lo go are either registered trademarks/service
marks o r trademarks/service marks o f the OpenStack Fo undatio n, in the United States and o ther
co untries and are used with the OpenStack Fo undatio n's permissio n. We are no t affiliated with,
endo rsed o r spo nso red by the OpenStack Fo undatio n, o r the OpenStack co mmunity.
All o ther trademarks are the pro perty o f their respective o wners.
Abstract
The Red Hat Enterprise Linux 6 .2 Technical No tes list and do cument the changes made to the
Red Hat Enterprise Linux 6 o perating system and its acco mpanying applicatio ns between Red
Hat Enterprise Linux 6 .1 and mino r release Red Hat Enterprise Linux 6 .2.
T able of Cont ent s
T able of Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 0. . . . . . . . . .
Preface
. .hapt
⁠C
. . . .er
. .1. .. T. echnology
. . . . . . . . . . Previews
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 1. . . . . . . . . .
⁠1.1. Sto rag e and File Sys tems
11
⁠1.2. Netwo rking
13
⁠1.3. Clus tering
13
⁠1.4. Sec urity
14
⁠1.5. Devic es
14
⁠1.6 . Kernel
14
⁠1.7. Virtualiz atio n
15
. .hapt
⁠C
. . . .er
. .2. .. Known
. . . . . . .Issues
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1. 6. . . . . . . . . .
⁠2 .1. Ins tallatio n
16
⁠2 .2. Entitlement
18
⁠2 .3. Dep lo yment
18
⁠2 .4. Virtualiz atio n
19
⁠2 .5. Sto rag e and File Sys tems
21
⁠2 .6 . Netwo rking
22
⁠2 .7. Clus tering
⁠2 .8 . Authentic atio n
⁠2 .9 . Devic es
23
23
25
⁠2 .10 . Kernel
⁠2 .11. Des kto p
26
32
. .hapt
⁠C
. . . .er
. .3.
. .New
. . . . Packages
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
...........
⁠3 .1. RHEA-20 11:16 27 — new p ac kag es : b tp ars er
⁠3 .2. RHEA-20 11:1729 — new p ac kag e: fc o e-targ et-utils
34
34
⁠3 .3. RHEA-20 11:16 53 — new p ac kag e: lib unis tring
⁠3 .4. RHEA-20 11:16 36 — new p ac kag e: lib virt-q mf
34
34
⁠3 .5. RHEA-20 11:16 0 9 — new p ac kag e: lib virt-s nmp
⁠3 .6 . RHEA-20 11:1714 — new p ac kag es : mes a-lib G Lw
35
35
⁠3 .7. RHBA-20 11:16 28 — new p ac kag e: o p ens lp
⁠3 .8 . RHEA-20 11:1545 — new p ac kag e: p as s s ync
35
35
⁠3 .9 . RHEA-20 11:1731 — new p ac kag e: p erl-Tes t-Inter
⁠3 .10 . RHEA-20 11:1725 — new p ac kag e: p ytho n-c o nfig s hell
⁠3 .11. RHEA-20 11:1724 — new p ac kag e: p ytho n-ip ad d r
⁠3 .12. RHEA-20 11:1728 — new p ac kag e: p ytho n-rts lib
36
36
36
37
⁠3 .13. RHEA-20 11:1727 — new p ac kag e: p ytho n-s imp lep ars e
⁠3 .14. RHEA-20 12:0 0 22 — new p ac kag e: p ytho n-s ud s
⁠3 .15. RHEA-20 11:16 22 — new p ac kag e: p ytho n-s ud s
⁠3 .16 . RHEA-20 11:1726 — new p ac kag e: p ytho n-urwid
37
37
38
38
⁠3 .17. RHEA-20 11:159 0 — new p ac kag e: s anlo c k
⁠3 .18 . RHEA-20 11:16 40 — new p ac kag es : s g ab io s
⁠3 .19 . RHEA-20 11:16 10 — new p ac kag es : s p ic e-g tk
⁠3 .20 . RHEA-20 11:16 33 — new p ac kag e: tb o o t
⁠3 .21. RHEA-20 11:1752 — new p ac kag e: vio s -p ro xy
38
38
39
39
39
⁠3 .22. RHEA-20 11:1757 — new p ac kag e: virt-who
⁠3 .23. RHEA-20 11:16 25 — new p ac kag e: wd aemo n
39
40
. .hapt
⁠C
. . . .er
. .4. .. Package
. . . . . . . .Updat
. . . . . es
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4. 1. . . . . . . . . .
⁠4 .1. 38 9 -d s -b as e
41
⁠4 .2. ab rt and lib rep o rt
45
⁠4 .3. ac l
46
1
Red Hat Ent erprise Linux 6 6 .2 T echnical Not es
⁠4 .3. ac l
⁠4 .4. aid e
⁠4 .5. als a-lib
⁠4 .6 . anac o nd a
⁠4 .7. ap r
46
47
47
48
51
⁠4 .8 . at
⁠4 .9 . atlas
⁠4 .10 . attr
⁠4 .11. aud it
51
52
52
53
⁠4 .12.
⁠4 .13.
⁠4 .14.
⁠4 .15.
54
54
57
57
aug eas
auto fs
auto trac e
b ac ula
⁠4 .16 . b as h
⁠4 .17. b fa-firmware
⁠4 .18 . b ind
⁠4 .19 . b ind -d ynd b -ld ap
⁠4 .20 . b inutils
58
59
59
61
63
⁠4 .21. b io s d evname
⁠4 .22. b lktrac e
65
66
⁠4 .23. b ltk
⁠4 .24. c ac hefiles d
67
67
⁠4 .25. c ertmo ng er
⁠4 .26 . c hkc o nfig
68
69
⁠4 .27. c ifs -utils
70
⁠4 .28 . c jkuni-fo nts
⁠4 .29 . c lus ter and g fs 2-utils
70
71
⁠4 .30 . c lus termo n
⁠4 .31. c o o lkey
76
76
⁠4 .32. c o reutils
77
⁠4 .33. c o ro s ync
⁠4 .34. c p ufreq utils
77
82
⁠4 .35. c ras h
⁠4 .36 . c ro ntab s
82
83
⁠4 .37. c ryp ts etup -luks
83
⁠4 .38 . c td b
⁠4 .39 . c up s
84
85
⁠4 .40 . c url
86
⁠4 .41. c vs
⁠4 .42. c yrus -imap d
87
87
⁠4 .43. c yrus -s as l
⁠4 .44. d evic e-map p er-multip ath
88
88
⁠4 .45. Devic eKit-p o wer
91
⁠4 .46 . d hc p
⁠4 .47. d mid ec o d e
92
94
⁠4 .48 . d ns mas q
⁠4 .49 . d o s fs to o ls
94
95
⁠4 .50 . d o xyg en
96
⁠4 .51. d rac ut
⁠4 .52. d ump
96
99
⁠4 .53. e2fs p ro g s
2
99
⁠4 .54. emac s
⁠4 .55. es c
10 1
10 2
⁠4 .56 . exp at
10 3
⁠4 .56 . exp at
⁠4 .57. fc o e-utils
10 3
10 3
⁠4 .58 . fenc e-ag ents
10 5
⁠4 .59 . fenc e-virt
⁠4 .6 0 . file
10 8
10 9
⁠4 .6 1. files ys tem
⁠4 .6 2. fip s c hec k
110
110
⁠4 .6 3. firefo x
111
⁠4 .6 4. firs taid kit
⁠4 .6 5. firs tb o o t
116
116
⁠4 .6 6 . freetyp e
⁠4 .6 7. fus e
117
117
⁠4 .6 8 . g c c
118
⁠4 .6 9 . g d b
⁠4 .70 . g d m
119
120
⁠4 .71. g ho s ts c rip t
122
⁠4 .72. g lib c
⁠4 .73. g mp
123
129
⁠4 .74. g no me-p o wer-manag er
⁠4 .75. g no me-s c reens aver
129
130
⁠4 .76 . g no me-s es s io n
131
⁠4 .77. g no me-s ys tem-mo nito r
⁠4 .78 . g no me-terminal
132
132
⁠4 .79 . g nutls
⁠4 .8 0 . g p m
132
133
⁠4 .8 1. g p xe
133
⁠4 .8 2. g rap hviz
⁠4 .8 3. g rub
134
134
⁠4 .8 4. g uile
135
⁠4 .8 5. http d
⁠4 .8 6 . hwd ata
136
138
⁠4 .8 7. ib us
⁠4 .8 8 . ib us -anthy
139
139
⁠4 .8 9 . ib us -tab le-erb i
140
⁠4 .9 0 . ic ed tea-web
⁠4 .9 1. ic u
140
141
⁠4 .9 2. Imag eMag ic k
⁠4 .9 3. inits c rip ts
142
143
⁠4 .9 4. ip a
146
⁠4 .9 5. ip a-p ki-theme
16 3
⁠4 .9 6 . ip mito o l
⁠4 .9 7. ip ro ute
16 4
16 5
⁠4 .9 8 . ip rutils
16 6
⁠4 .9 9 . ip tab les
16 7
⁠4 .10 0 . irq b alanc e
16 7
⁠4 .10 1. is c s i-initiato r-utils
⁠4 .10 2. is d n4k-utils
16 8
16 9
⁠4 .10 3. iwl10 0 0 -firmware
16 9
⁠4 .10 4. iwl6 0 0 0 g 2a-firmware
16 9
⁠4 .10 5. jas p er
16 9
⁠4 .10 6 . java-1.5.0 -ib m
⁠4 .10 7. java-1.6 .0 -ib m
170
170
⁠4 .10 8 . java-1.6 .0 -o p enjd k
171
⁠4 .10 9 . java-1.6 .0 -s un
175
3
4
⁠4 .10 9 . java-1.6 .0 -s un
175
⁠4 .110 . js s
176
⁠4 .111. jwho is
177
⁠4 .112. kab i-whitelis ts
⁠4 .113. kd eac c es s ib ility
178
179
⁠4 .114. kd ead min
179
⁠4 .115. kd eb as e
18 0
⁠4 .116 . kd eb as e-wo rks p ac e
18 0
⁠4 .117. kd ep im-runtime
⁠4 .118 . kd eutils
18 1
18 1
⁠4 .119 . kernel
18 2
⁠4 .120 . kexec -to o ls
225
⁠4 .121. keyutils
230
⁠4 .122. krb 5
⁠4 .123. krb 5-ap p l
230
232
⁠4 .124. ks h
234
⁠4 .125. les s
236
⁠4 .126 . lib arc hive
236
⁠4 .127. lib atas mart
⁠4 .128 . lib c ac ard
237
237
⁠4 .129 . lib c ap
240
⁠4 .130 . lib c g ro up
240
⁠4 .131. lib c mp iutil
241
⁠4 .132. lib es mtp
⁠4 .133. lib g c ryp t
241
241
⁠4 .134. lib g p g -erro r
242
⁠4 .135. lib g ues tfs
242
⁠4 .136 . lib hb aap i
245
⁠4 .137. lib hb alinux
⁠4 .138 . lib hug etlb fs
246
246
⁠4 .139 . lib ic a
246
⁠4 .140 . lib nih
247
⁠4 .141. lib p ng
247
⁠4 .142. lib s elinux
248
⁠4 .143. lib s emanag e
⁠4 .144. lib s ep o l
250
250
⁠4 .145. lib s nd file
251
⁠4 .146 . lib s s h2
251
⁠4 .147. lib tas n1
252
⁠4 .148 . lib tiff
⁠4 .149 . lib tirp c
252
253
⁠4 .150 . lib virt
253
⁠4 .151. lib virt-c im
26 5
⁠4 .152. lib virt-q mf
26 6
⁠4 .153. lib vo rb is
⁠4 .154. lib xklavier
26 6
26 7
⁠4 .155. lib xml2
26 7
⁠4 .156 . lld p ad
26 9
⁠4 .157. lo hit-as s ames e-fo nts
271
⁠4 .158 . lo hit-b eng ali-fo nts
⁠4 .159 . lo hit-g ujarati-fo nts
272
272
⁠4 .16 0 . lo hit-kannad a-fo nts
272
⁠4 .16 1. lo hit-malayalam-fo nts
273
⁠4 .16 2. lo hit-o riya-fo nts
273
⁠4 .16 2. lo hit-o riya-fo nts
273
⁠4 .16 3. lo hit-p unjab i-fo nts
⁠4 .16 4. lo hit-tamil-fo nts
274
274
⁠4 .16 5. lo hit-telug u-fo nts
274
⁠4 .16 6 . ls o f
275
⁠4 .16 7. luc i
275
⁠4 .16 8 . lvm2
⁠4 .16 9 . mailc ap
278
28 1
⁠4 .170 . mailman
28 1
⁠4 .171. man-p ag es -ja
28 2
⁠4 .172. man-p ag es -o verrid es
28 2
⁠4 .173. matahari
⁠4 .174. mc elo g
28 4
28 6
⁠4 .175. md ad m
28 6
⁠4 .176 . mes a
28 9
⁠4 .177. mic ro c o d e_c tl
28 9
⁠4 .178 . ming etty
29 0
⁠4 .179 . ming w32
⁠4 .18 0 . ming w32-q p id -c p p
29 0
29 1
⁠4 .18 1. mks h
29 1
⁠4 .18 2. mo d _ns s
29 2
⁠4 .18 3. mo d _revo c ato r
29 3
⁠4 .18 4. mo d ule-init-to o ls
⁠4 .18 5. mys q l
29 4
29 4
⁠4 .18 6 . nautilus
29 5
⁠4 .18 7. nautilus -o p en-terminal
29 6
⁠4 .18 8 . nc o mp res s
29 6
⁠4 .18 9 . net-s nmp
⁠4 .19 0 . net-to o ls
29 7
30 1
⁠4 .19 1. netc f
30 2
⁠4 .19 2. Netwo rkManag er
30 3
⁠4 .19 3. Netwo rkManag er-o p ens wan
30 5
⁠4 .19 4. newt
⁠4 .19 5. nfs -utils
30 5
30 6
⁠4 .19 6 . nfs -utils -lib
30 8
⁠4 .19 7. nmap
30 9
⁠4 .19 8 . ns p r, ns s , ns s -s o fto kn, and ns s -util
30 9
⁠4 .19 9 . ns s
⁠4 .20 0 . ns s -p am-ld ap d
311
311
⁠4 .20 1. ns s _d b
312
⁠4 .20 2. o mp ing
313
⁠4 .20 3. o p enc ryp to ki
313
⁠4 .20 4. o p enld ap
⁠4 .20 5. o p enmo tif
314
318
⁠4 .20 6 . o p eno ffic e.o rg
318
⁠4 .20 7. o p ens c ap
319
⁠4 .20 8 . o p ens s h
319
⁠4 .20 9 . o p ens s l
321
⁠4 .210 . o p ens s l-ib mc a
⁠4 .211. o p ens wan
325
325
⁠4 .212. o p ro file
330
⁠4 .213. p ac emaker
331
⁠4 .214. p am
332
⁠4 .215. p am_krb 5
333
5
6
⁠4 .215. p am_krb 5
⁠4 .216 . p am_ld ap
333
334
⁠4 .217. p ap i
334
⁠4 .218 . p arted
334
⁠4 .219 . p as s wd
335
⁠4 .220 . p c iutils
⁠4 .221. p erl-Date-Manip
336
336
⁠4 .222. p erl-Net-DNS
337
⁠4 .223. p erl-NetAd d r-IP
337
⁠4 .224. p erl-Sys -Virt
338
⁠4 .225. p erl-Tes t-Sp elling
⁠4 .226 . p hp
338
339
⁠4 .227. p hp -p ear
341
⁠4 .228 . p id g in
341
⁠4 .229 . p inentry
342
⁠4 .230 . p iranha
⁠4 .231. p ki-c o re
342
343
⁠4 .232. p lymo uth
345
⁠4 .233. p o lic yc o reutils
346
⁠4 .234. p o s tg res q l
348
⁠4 .235. p o werp c -utils
⁠4 .236 . p o werto p
349
350
⁠4 .237. p relink
⁠4 .238 . p ro c p s
⁠4 .239 . p s ac c t
350
351
351
⁠4 .240 . p uls eaud io
⁠4 .241. p ykic ks tart
352
352
⁠4 .242. p yp arted
⁠4 .243. p ytho n
⁠4 .244. p ytho n-d mid ec o d e
353
353
356
⁠4 .245. p ytho n-meh
⁠4 .246 . p ytho n-netad d r
356
357
⁠4 .247. p ytho n-p s yc o p g 2
⁠4 .248 . p ytho n-q p id
⁠4 .249 . p ytho n-rhs m
357
358
358
⁠4 .250 . p ytho n-s lip
⁠4 .251. p ytho n-s q lalc hemy
359
359
⁠4 .252. p ytho n-virtins t
⁠4 .253. q emu-kvm
⁠4 .254. q l240 0 -firmware
359
36 1
372
⁠4 .255. q l250 0 -firmware
⁠4 .256 . Q p id
372
372
⁠4 .257. q p id -c p p
⁠4 .258 . q p id -q mf
373
374
⁠4 .259 . q p id -tes ts
⁠4 .26 0 . q p id -to o ls
⁠4 .26 1. q t
374
374
375
⁠4 .26 2. q t3
⁠4 .26 3. rap to r
376
377
⁠4 .26 4. RDMA
⁠4 .26 5. Red Hat Enterp ris e Linux Releas e No tes
⁠4 .26 6 . red hat-releas e
377
378
379
⁠4 .26 7. red hat-rp m-c o nfig
⁠4 .26 8 . res o urc e-ag ents
379
38 0
⁠4 .26 8 . res o urc e-ag ents
38 0
⁠4 .26 9 . rg manag er
⁠4 .270 . rhn-c lient-to o ls and yum-rhn-p lug in
⁠4 .271. rhnlib
38 1
38 2
38 4
⁠4 .272. ric c i
⁠4 .273. rng -to o ls
38 4
38 5
⁠4 .274. rp m
⁠4 .275. rs ys lo g
⁠4 .276 . rub y
38 6
38 8
38 9
⁠4 .277. s 39 0 utils
⁠4 .278 . s ab ayo n
39 1
39 7
⁠4 .279 . s amb a
⁠4 .28 0 . s b lim-c mp i-b as e
⁠4 .28 1. s b lim-c mp i-fs vo l
39 7
40 1
40 1
⁠4 .28 2. s b lim-c mp i-nfs v3
⁠4 .28 3. s b lim-g ather
40 1
40 2
⁠4 .28 4. s b lim-s fc b
⁠4 .28 5. s b lim-s fc c
⁠4 .28 6 . s b lim-s mis -hb a
40 2
40 3
40 4
⁠4 .28 7. s c s i-targ et-utils
⁠4 .28 8 . s eab io s
40 4
40 5
⁠4 .28 9 . s ed
⁠4 .29 0 . s eekwatc her
⁠4 .29 1. s elinux-p o lic y
40 6
40 6
40 6
⁠4 .29 2. s etro ub les ho o t
⁠4 .29 3. s etup
418
420
⁠4 .29 4. s g 3_utils
⁠4 .29 5. s had o w-utils
⁠4 .29 6 . s ig ar
421
421
422
⁠4 .29 7. s lap i-nis
⁠4 .29 8 . s martmo nto o ls
423
424
⁠4 .29 9 . s o s
⁠4 .30 0 . s p ic e-c lient
⁠4 .30 1. s p ic e-p ro to c o l
424
427
428
⁠4 .30 2. s p ic e-s erver
⁠4 .30 3. s p ic e-vd ag ent
428
429
⁠4 .30 4. s q uid
⁠4 .30 5. s s s d
⁠4 .30 6 . s tar
429
430
438
⁠4 .30 7. s trac e
⁠4 .30 8 . s ub s c rip tio n-manag er
439
439
⁠4 .30 9 . s ud o
⁠4 .310 . s wig
⁠4 .311. s ys tem-c o nfig -firewall
441
442
443
⁠4 .312. s ys tem-c o nfig -kic ks tart
⁠4 .313. s ys tem-c o nfig -lvm
443
444
⁠4 .314. s ys tem-c o nfig -p rinter
⁠4 .315. s ys tem-s witc h-java
⁠4 .316 . s ys temtap
444
446
446
⁠4 .317. t1lib
⁠4 .318 . tc p _wrap p ers
450
451
⁠4 .319 . tc s h
⁠4 .320 . telnet
452
453
⁠4 .321. texlive
453
7
8
⁠4 .321. texlive
⁠4 .322. texlive-texmf
⁠4 .323. tftp
453
454
455
⁠4 .324. thund erb ird
⁠4 .325. tmp watc h
456
46 1
⁠4 .326 . to g -p eg as us
⁠4 .327. to mc at6
⁠4 .328 . to mc atjs s
46 2
46 3
46 3
⁠4 .329 . ts c lient
⁠4 .330 . tuned
46 4
46 4
⁠4 .331. ud ev
⁠4 .332. ud is ks
⁠4 .333. unic ap
46 4
46 6
46 6
⁠4 .334. us b utils
⁠4 .335. util-linux-ng
46 7
46 8
⁠4 .336 . valg rind
⁠4 .337. virt-manag er
⁠4 .338 . virt-to p
470
470
472
⁠4 .339 . virt-v2v
⁠4 .340 . virt-viewer
473
475
⁠4 .341. virt-what
⁠4 .342. vs ftp d
⁠4 .343. vte
476
477
477
⁠4 .344. whic h
⁠4 .345. wires hark
477
478
⁠4 .346 . wp a_s up p lic ant
⁠4 .347. X.O rg
⁠4 .348 . xd g -utils
479
479
48 3
⁠4 .349 . xfs p ro g s
⁠4 .350 . xinetd
48 4
48 4
⁠4 .351. xkeyb o ard -c o nfig
⁠4 .352. xo rg -x11-d rv-ati
⁠4 .353. xo rg -x11-d rv-intel
48 5
48 6
48 7
⁠4 .354. xo rg -x11-d rv-mg a
⁠4 .355. xo rg -x11-d rv-no uveau
48 7
48 8
⁠4 .356 . xo rg -x11-d rv-q xl
⁠4 .357. xo rg -x11-d rv-wac o m and wac o mc p l
⁠4 .358 . xo rg -x11-s erver
48 9
48 9
49 0
⁠4 .359 . xo rg -x11-s erver and tig ervnc
⁠4 .36 0 . xo rg -x11-s erver-utils
49 1
49 2
⁠4 .36 1. xulrunner
⁠4 .36 2. yab o o t
⁠4 .36 3. yp -to o ls
49 3
49 4
49 4
⁠4 .36 4. yp s erv
⁠4 .36 5. yum
49 4
49 5
⁠4 .36 6 . yum-utils
⁠4 .36 7. z lib
⁠4 .36 8 . c lus ter
49 7
49 8
49 9
⁠4 .36 9 . d b 4
⁠4 .370 . rp c b ind
49 9
50 0
⁠4 .371. rs ync
⁠4 .372. tz d ata
⁠4 .373. Red Hat Enterp ris e Linux 6 .2 Extend ed Up d ate Sup p o rt 6 -Mo nth No tic e
50 0
50 1
50 3
. . . . . . . . .Hist
Revision
. . . ory
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
. . 4. . . . . . . . . .
9
Preface
The Red Hat Enterprise Linux 6.2 Technical Notes list and document the changes made to the Red Hat
Enterprise Linux 6 operating system and its accompanying applications between minor release Red
Hat Enterprise Linux 6.1 and minor release Red Hat Enterprise Linux 6.2.
For system administrators and others planning Red Hat Enterprise Linux 6.2 upgrades and
deployments, the Technical Notes provide a single, organized record of the bugs fixed in, features
added to, and Technology Previews included with this new release of Red Hat Enterprise Linux.
For auditors and compliance officers, the Red Hat Enterprise Linux 6.2 Technical Notes provide a
single, organized source for change tracking and compliance testing.
For every user, the Red Hat Enterprise Linux 6.2 Technical Notes provide details of what has changed in
this new release.
Note
The Package Manifest is available as a separate document.
10
⁠Chapt er 1 . T echnology Previews
Chapter 1. Technology Previews
Technology Preview features are currently not supported under Red Hat Enterprise Linux
subscription services, may not be functionally complete, and are generally not suitable for
production use. However, these features are included as a customer convenience and to provide the
feature with wider exposure.
Customers may find these features useful in a non-production environment. Customers are also free
to provide feedback and functionality suggestions for a Technology Preview feature before it
becomes fully supported. Errata will be provided for high-severity security issues.
D uring the development of a Technology Preview feature, additional components may become
available to the public for testing. It is the intention of Red Hat to fully support Technology Preview
features in a future release.
1.1. St orage and File Syst ems
Parallel N FS
Parallel NFS (pNFS) is a part of the NFS v4.1 standard that allows clients to access storage
devices directly and in parallel. The pNFS architecture eliminates the scalability and
performance issues associated with NFS servers in deployment today.
pNFS supports 3 different storage protocols or layouts: files, objects and blocks. The Red
Hat Enterprise Linux 6.2 NFS client supports the files layout protocol.
To automatically enable the pNFS functionality, create the /etc/mo d pro be. d /d i stnfsv4 1. co nf file with the following line and reboot the system:
alias nfs-layouttype4-1 nfs_layout_nfsv41_files
Now when the -o mi no rversi o n= 1 mount option is specified, and the server is pNFSenabled, the pNFS client code is automatically enabled.
For more information on pNFS, refer to http://www.pnfs.com/.
O p en mu lt icast p in g ( O mp in g ) , B Z #6 57370
Open Multicast Ping (Omping) is a tool to test the IP multicast functionality, primarily in the
local network. This utility allows users to test IP multicast functionality and assists in the
diagnosing if an issues is in the network configuration or elsewhere (that is, a bug). In Red
Hat Enterprise Linux 6 Omping is provided as a Technology Preview.
Mat ah ari
Matahari provides a set of Application Programming Interfaces (APIs) for operating systems
management for remote access over QMF/QPID . Matahari in Red Hat Enterprise Linux 6.2 is
fully supported only for Intel 64 and AMD 64 architectures. Builds for other architectures are
considered a Technology Preview.
Syst em In f o rmat io n G at h erer an d R ep o rt er ( SIG AR )
The System Information Gatherer and Reporter (SIGAR) is a library and command-line tool
for accessing operating system and hardware level information across multiple platforms
and programming languages. In Red Hat Enterprise Linux 6.2, SIGAR is considered a
Technology Preview package.
11
f sf reez e
Red Hat Enterprise Linux 6 includes f sf reez e as a Technology Preview. f sf reez e is a new
command that halts access to a file system on a disk. f sf reez e is designed to be used with
hardware RAID devices, assisting in the creation of volume snapshots. For more details on
the f sf reez e utility, refer to the fsfreeze(8) man page.
D IF/D IX su p p o rt
D IF/D IX, is a new addition to the SCSI Standard and a Technology Preview in Red Hat
Enterprise Linux 6. D IF/D IX increases the size of the commonly used 512-byte disk block
from 512 to 520 bytes, adding the D ata Integrity Field (D IF). The D IF stores a checksum
value for the data block that is calculated by the Host Bus Adapter (HBA) when a write
occurs. The storage device then confirms the checksum on receive, and stores both the
data and the checksum. Conversely, when a read occurs, the checksum can be checked by
the storage device, and by the receiving HBA.
The D IF/D IX hardware checksum feature must only be used with applications that
exclusively issue O_DIRECT I/O. These applications may use the raw block device, or the
XFS file system in O_DIRECT mode. (XFS is the only file system that does not fall back to
buffered I/O when doing certain allocation operations.) Only applications designed for use
with O_DIRECT I/O and D IF/D IX hardware should enable this feature.
For more information, refer to section Block Devices with DIF/DIX Enabled in the Storage
Administration Guide
File syst em in u ser sp ace
Filesystem in Userspace (FUSE) allows for custom file systems to be developed and run in
user space.
B t rf s, B Z #6 14 121
Btrfs is under development as a file system capable of addressing and managing more
files, larger files, and larger volumes than the ext2, ext3, and ext4 file systems. Btrfs is
designed to make the file system tolerant of errors, and to facilitate the detection and repair
of errors when they occur. It uses checksums to ensure the validity of data and metadata,
and maintains snapshots of the file system that can be used for backup or repair. The btrfs
Technology Preview is only available on AMD 64 and Intel 64 architectures.
Btrfs is still experimental
Red Hat Enterprise Linux 6 includes Btrfs as a technology preview to allow you to
experiment with this file system. You should not choose Btrfs for partitions that will
contain valuable data or that are essential for the operation of important systems.
LVM Ap p licat io n Pro g rammin g In t erf ace ( API)
Red Hat Enterprise Linux 6 features the new LVM application programming interface (API)
as a Technology Preview. This API is used to query and control certain aspects of LVM.
LVM R AID su p p o rt , B Z #729 712
In Red Hat Enterprise Linux 6.2, support for MD 's RAID personalities has been added to
LVM as a Technology Preview. The following basic features are available: create, display,
rename, use, and remove RAID logical volumes. Automated fault tolerance is not yet
available.
12
FS- C ach e
FS-Cache is a new feature in Red Hat Enterprise Linux 6 that enables networked file
systems (e.g. NFS) to have a persistent cache of data on the client machine.
eC ryp t f s File Syst em
eCryptfs is a stacked, cryptographic file system. It is transparent to the underlying file
system and provides per-file granularity. eCryptfs is provided as a Technology Preview in
Red Hat Enterprise Linux 6.
1.2. Net working
vio s- p ro xy, B Z #721119
vio s- p ro xy is a stream-socket proxy for providing connectivity between a client on a virtual
guest and a server on a Hypervisor host. Communication occurs over virtio-serial links.
IPv6 su p p o rt in IPVS
The IPv6 support in IPVS (IP Virtual server) is considered a Technology Preview.
1.3. Clust ering
Su p p o rt f o r red u n d an t rin g f o r st an d alo n e C o ro syn c, B Z #7224 6 9
Red Hat Enterprise Linux 6.2 introduces support for redundant ring with autorecovery
feature as a Technology Preview. Refer to Section 2.7, “ Clustering” for a list of known
issues associated with this Technology Preview.
co ro syn c- cp g t o o l, B Z #6 8826 0
The co ro syn c- cp g t o o l now specifies both interfaces in a dual ring configuration. This
feature is a Technology Preview.
D isab lin g rg man ag er in /et c/clu st er.co n f , B Z #7239 25
As a consequence of converting the /etc/cl uster. co nf configuration file to be used by
p acemaker, rg man ag er must be disabled. The risk of not doing this is high; after a
successful conversion, it would be possible to start rg man ag er and p acemaker on the
same host, managing the same resources.
Consequently, Red Hat Enterprise Linux 6.2 includes a feature (as a Technology Preview)
that forces the following requirements:
rg man ag er must refuse to start if it sees the <rm d i sabl ed = "1"> flag in
/etc/cl uster. co nf.
rg man ag er must stop any resources and exit if the <rm d i sabl ed = "1"> flag appears
in /etc/cl uster. co nf during a reconfiguration.
p acemaker, B Z #4 56 89 5
Pacemaker, a scalable high-availability cluster resource manager, is included in Red Hat
Enterprise Linux 6 as a Technology Preview. Pacemaker is not fully integrated with the Red
Hat cluster stack.
1.4 . Securit y
13
1.4 . Securit y
T PM
TPM hardware can create, store and use RSA keys securely (without ever being exposed in
memory), verify a platform's software state using cryptographic hashes and more. The user
space libraries, trousers and tpm-tools, are considered a Technology Preview.
1.5. Devices
B ro cad e B FA d river
The Brocade BFA driver is considered a Technology Preview feature in Red Hat Enterprise
Linux 6. The BFA driver supports Brocade FibreChannel and FCoE mass storage adapters.
SR - IO V o n t h e b e2n et d river, B Z #6 024 51
The SR-IOV functionality of the Emulex be2net driver is considered a Technology Preview
in Red Hat Enterprise Linux 6.
1.6. Kernel
Su p p o rt f o r Fib er C h an n el o ver Et h ern et ( FC o E) t arg et mo d e
Red Hat Enterprise Linux 6.2 includes support for Fiber Channel over Ethernet (FCoE)
target mode as a Technology Preview. This kernel feature is configurable via t arg et ad min ,
supplied by the fcoe-target-utils package. FCoE is designed to be used on a network
supporting D ata Center Bridging (D CB). Further details are available in the d cbto o l (8)
and targ etad mi n(8) man pages.
Important
This feature uses the new SCSI target layer, which falls under this Technology
Preview, and should not be used independently from the FCoE target support. This
package contains the AGPL license.
K ern el Med ia su p p o rt
The following features are presented as Technology Previews:
The latest upstream video4linux
D igital video broadcasting
Primarily infrared remote control device support
Various webcam support fixes and improvements
R emo t e au d it lo g g in g
The audit package contains the user space utilities for storing and searching the audit
records generated by the aud i t subsystem in the Linux 2.6 kernel. Within the audispdplugins subpackage is a utility that allows for the transmission of audit events to a remote
aggregating machine. This remote audit logging application, au d isp - remo t e, is
considered a Technology Preview in Red Hat Enterprise Linux 6.
14
Lin u x ( N ameSp ace) C o n t ain er [ LXC ]
Linux containers provide a flexible approach to application runtime containment on baremetal systems without the need to fully virtualize the workload. Red Hat Enterprise Linux 6.2
provides application level containers to separate and control the application resource
usage policies via cgroup and namespaces. This release introduces basic management of
container life-cycle by allowing creation, editing and deletion of containers via the lib virt
API and the virt - man ag er GUI. Linux Containers are a Technology Preview.
D iag n o st ic p u lse f o r t h e f en ce_ip milan ag en t , B Z #6 5576 4
A diagnostic pulse can now be issued on the IPMI interface using the fence_i pmi l an
agent. This new Technology Preview is used to force a kernel dump of a host if the host is
configured to do so. Note that this feature is not a substitute for the o ff operation in a
production cluster.
ED AC d river su p p o rt , B Z #6 4 7700
Red Hat Enterprise Linux 6.2's ED AC driver support for the latest Intel chipset is available
as a Technical Preview.
1.7. Virt ualiz at ion
Syst em mo n it o rin g via SN MP, B Z #6 4 2556
This feature provides KVM support for stable technology that is already used in data center
with bare metal systems. SNMP is the standard for monitoring and is extremely well
understood as well as computationally efficient. System monitoring via SNMP in Red Hat
Enterprise Linux 6.2 allows the KVM hosts to send SNMP traps on events so that hypervisor
events can be communicated to the user via standard SNMP protocol. This feature is
provided through the addition of a new package: libvirt-snmp. This feature is introduced as
a Technology Preview.
Wire sp eed req u iremen t in K VM n et wo rk d rivers
Virtualization and cloud products that run networking work loads need to run wire speeds.
Up until Red Hat Enterprise Linux 6.1, the only way to reach wire speed on a 10 GB Ethernet
NIC with a lower CPU utilization was to use PCI device assignment (passthrough), which
limits other features like memory overcommit and guest migration
The macvt ap /vh o st zero-copy capabilities allows the user to use those features when
high performance is required. This feature improves performance for any Red Hat Enterprise
Linux 6.x guest in the VEPA use case. This feature is introduced as a Technology Preview.
15
Chapter 2. Known Issues
2.1. Inst allat ion
anaco nd a co mp o n en t , B Z #6 76 025
Users performing an upgrade using the Anaconda's text mode interface who do not have a
boot loader already installed on the system, or who have a non-GRUB boot loader, need to
select Ski p Bo o t Lo ad er C o nfi g urati o n during the installation process. Boot
loader configuration will need to be completed manually after installation. This problem
does not affect users running Anaconda in the graphical mode (graphical mode also
includes VNC connectivity mode).
anaco nd a co mp o n en t
Anaconda fails to install to partitions of size 2.2 TB and larger.
On s390x systems, you cannot use automatic partitioning and encryption. If you want to
use storage encryption, you must perform custom partitioning. D o not place the /bo o t
volume on an encrypted volume.
The order of device names assigned to USB attached storage devices is not guaranteed.
Certain USB attached storage devices may take longer to initialize than others, which can
result in the device receiving a different name than you expect (for example, sd c instead of
sd a).
D uring installation, verify the storage device size, name, and type when configuring
partitions and file systems.
kernel co mp o n en t
D ell systems based on a future Intel processor with graphics acceleration require the
selection of the i nstal l system wi th basi c vi d eo d ri ver installation option. A
future Red Hat Enterprise Linux 6.2.z Extended Update Support update will remove this
requirement.
Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network
interfaces on some machines. As a result, the installer may use different names during an
upgrade in certain scenarios (typically em1 is used instead of eth0 on new D ell machines).
However, the previously used network interface names are preserved on the system and the
upgraded system will still use the previously used interfaces. This is not the case for Yum
upgrades.
The kd ump d efaul t o n feature currently depends on Anaconda to insert the
crashkernel= parameter to the kernel parameter list in the boot loader's configuration file.
fi rstai d ki t co mp o n en t
The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2. As a
consequence, in rare cases, the system upgrade operation may fail with unresolved
16
⁠Chapt er 2 . Known Issues
dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise
Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before
upgrading the system. However, in most cases, the system upgrade completes as expected.
anaco nd a co mp o n en t , B Z #6 2326 1
In some circumstances, disks that contain a whole disk format (for example, a LVM Physical
Volume populating a whole disk) are not cleared correctly using the cl earpart -i ni tl abel kickstart command. Adding the --al l switch—as in cl earpart -i ni tl abel --al l —ensures disks are cleared correctly.
sq uashfs-to o l s co mp o n en t
D uring the installation on POWER systems, error messages similar to:
attempt to access beyond end of device
loop0: rw=0, want=248626, limit=248624
may be returned to sys. l o g . These errors do not prevent installation and only occur
during the initial setup. The file system created by the installer will function correctly.
When installing on the IBM System z architecture, if the installation is being performed over
SSH, avoid resizing the terminal window containing the SSH session. If the terminal window
is resized during the installation, the installer will exit and the installation will terminate.
yabo o t co mp o n en t , B Z #6 139 29
The kernel image provided on the CD /D VD is too large for Open Firmware. Consequently,
on the POWER architecture, directly booting the kernel image over a network from the
CD /D VD is not possible. Instead, use yab o o t to boot from a network.
The Anaconda partition editing interface includes a button labeled R esi ze. This feature is
intended for users wishing to shrink an existing file system and an underlying volume to
make room for an installation of a new system. Users performing manual partitioning
cannot use the R esi ze button to change sizes of partitions as they create them. If you
determine a partition needs to be larger than you initially created it, you must delete the first
one in the partitioning editor and create a new one with the larger size.
system-co nfi g -ki ckstart co mp o n en t
Channel ID s (read, write, data) for network devices are required for defining and
configuring network devices on IBM S/390 systems. However, syst emco n f ig kickst art —the graphical user interface for generating a kickst art configuration—cannot
define channel ID s for a network device. To work around this issue, manually edit the
kickst art configuration that syst emco n f ig - kickst art generates to include the desired
network devices.
d racut co mp o n en t
D uring FCoE BFS installation, when an Ethernet interface goes offline after discovering the
targets, FCoE link will never come up. This is because Anaconda creates an FCoE
configuration file under/etc/fco e/ using b io sd evn ame (new style interface naming
scheme) for all the available Ethernet interfaces for FCoE BFS. However, it does not add the
ifname kernel command line for the FCoE interface that stays offline after discovering
FCoE targets during installation. Because of this, during subsequent reboots, the system
17
tries to find the old style ethX interface name in the /etc/fco e directory, which does not
match with the file created by Anaconda using b io sd evn ame. Therefore, due to the
missing FCoE configuration file, an FCoE interface is never created on the Ethernet
interface.
To avoid this problem, ensure that the Ethernet interface does not go offline during FCoE
BFS installation.
If the Ethernet interface does go offline during installation after discovering the targets, add
the following parameter to the kernel command line:
ifname=<biosdevname_interface_name>:<mac_address>
2.2. Ent it lement
subscri pti o n manag er co mp o n en t
When registering a system with f irst b o o t , the RHN Classic option is checked by default in
the Subscription part.
2.3. Deployment
cpuspeed co mp o n en t , B Z #6 26 89 3
Some HP Proliant servers may report incorrect CPU frequency values in /pro c/cpui nfo
or /sys/d evi ce/system/cpu/*/cpufreq . This is due to the firmware manipulating the
CPU frequency without providing any notification to the operating system. To avoid this
ensure that the HP P o wer R eg ul ato r option in the BIOS is set to OS Control. An
alternative available on more recent systems is to set C o l l abo rati ve P o wer C o ntro l
to Enabled.
rel eng co mp o n en t , B Z #6 4 4 778
Some packages in the Optional repositories on RHN have multilib file conflicts.
Consequently, these packages cannot have both the primary architecture (for example,
x86_64) and secondary architecture (for example, i686) copies of the package installed on
the same machine simultaneously. To work around this issue, install only one copy of the
conflicting package.
rel eng co mp o n en t
The openmpi-psm and openmpi-psm-devel packages are not provided on architectures other
than AMD 64 and Intel 64 for Red Hat Enterprise Linux 6.2. If the openmpi-psm.i686 or/and
openmpi-psm-devel.i686 packages are installed on a AMD 64 or an Intel 64 system, remove
these packages before you attempt to update Open MPI.
g rub co mp o n en t , B Z #6 9 59 51
On certain UEFI-based systems, you may need to type BO O T X6 4 rather than bo o tx6 4 to
boot the installer due to case sensitivity issues.
g rub co mp o n en t , B Z #6 9 8708
When rebuilding the grub package on the x86_64 architecture, the glibc-static.i686 package
must be used. Using the glibc-static.x86_64 package will not meet the build requirements.
18
parted co mp o n en t
The p art ed utility in Red Hat Enterprise Linux 6 cannot handle Extended Address Volumes
(EAV) D irect Access Storage D evices (D ASD ) that have more than 65535 cylinders.
Consequently, EAV D ASD drives cannot be partitioned using p art ed , and installation on
EAV D ASD drives will fail. To work around this issue, complete the installation on a non
EAV D ASD drive, then add the EAV device after the installation using the tools provided in
the s390-utils package.
P ackag eKi t co mp o n en t
If you are being asked repeatedly to enter your root password while using PackageKit to
update your system via non-Red Hat repositories, you may be affected by the Packag eK it
issue described in Section 2.11, “ D esktop” .
2.4 . Virt ualiz at ion
o vi rt-no d e co mp o n en t , B Z #74 7102
Upgrades from Beta to the GA version will result in an incorrect partitioning of the host. The
GA version must be installed clean. UEFI machines must be set to legacy boot options for
RHEV-H to boot successfully after installation.
When a system boots from SAN, it starts the l i bvi rtd service, which enables IP
forwarding. The service causes a driver reset on both Ethernet ports which causes a loss of
all paths to an OS disk. Under this condition, the system cannot load firmware files from the
OS disk to initialize Ethernet ports, eventually never recovers paths to the OS disk, and fails
to boot from SAN. To work around this issue add the bnx2x. d i sabl e_tpa= 1 option to
the kernel command line of the GRUB menu, or do not install virtualization related software
and manually enable IP forwarding when needed.
Booting Red Hat Enterprise Linux 6.2 as an HVM guest with more than one vCPU on
machines that support SMEP and using Red Hat Enterprise Linux 5.7 and earlier Xen
Hypervisors fails. To work around this issue, boot the guest with the no smep kernel
command line option.
vd sm co mp o n en t
If the /ro o t/. ssh directory is missing from a host when it is added to a Red Hat Enterprise
Virtualization Manager data center, the directory is created with a wrong SELinux context,
and SSH'ing into the host is denied. To work around this issue, manually create the
/ro o t/. ssh directory with the correct SELinux context:
~]# mkd i r /ro o t/. ssh
~]# chmo d 0 70 0 /ro o t/. ssh
~]# resto reco n /ro o t/. ssh
VD SM now configures lib virt so that connection to its local read-write UNIX domain socket
is password-protected by SASL. The intention is to protect virtual machines from human
errors of local host administrators. All operations that may change the state of virtual
machines on a Red Hat Enterprise Virtualization-controlled host must be performed from
19
Red Hat Enterprise Virtualization Manager.
l i bvi rt co mp o n en t
In earlier versions of Red Hat Enterprise Linux, lib virt permitted PCI devices to be
insecurely assigned to guests. In Red Hat Enterprise Linux 6, assignment of insecure
devices is disabled by default by lib virt . However, this may cause assignment of
previously working devices to start failing. To enable the old, insecure setting, edit the
/etc/l i bvi rt/q emu. co nf file, set the relaxed_acs_check = 1 parameter, and
restart l i bvi rtd (servi ce l i bvi rtd restart). Note that this action will re-open
possible security issues.
vi rti o -wi n co mp o n en t , B Z #6 159 28
The balloon service on Windows 7 guests can only be started by the Administrator user.
l i bvi rt co mp o n en t , B Z #6 226 4 9
lib virt uses transient ip t ab les rules for managing NAT or bridging to virtual machine
guests. Any external command that reloads the ip t ab les state (such as running syst emco n f ig - f irewall) will overwrite the entries needed by lib virt . Consequently, after running
any command or tool that changes the state of ip t ab les, guests may lose access the
network. To work around this issue, use the servi ce l i bvi rt rel o ad command to
restore lib virt 's additional ip t ab les rules.
vi rti o -wi n co mp o n en t , B Z #6 12801
A Windows virtual machine must be restarted after the installation of the kernel Windows
driver framework. If the virtual machine is not restarted, it may crash when a memory
balloon operation is performed.
q emu-kvm co mp o n en t , B Z #72059 7
Installation of Windows 7 Ultimate x86 (32-bit) Service Pack 1 on a guest with more than
4GB of RAM and more than one CPU from a D VD medium often crashes during the final
steps of the installation process due to a system hang. To work around this issue, use the
Windows Update utility to install the Service Pack.
q emu-kvm co mp o n en t , B Z #6 12788
A dual function Intel 82576 Gigabit Ethernet Controller interface (codename: Kawela, PCI
Vendor/D evice ID : 8086:10c9) cannot have both physical functions (PF's) device-assigned
to a Windows 2008 guest. Either physical function can be device assigned to a Windows
2008 guest (PCI function 0 or function 1), but not both.
vi rt-v2v co mp o n en t
In Red Hat Enterprise Linux 6.2, the default virt - v2v configuration is split into two files:
/etc/vi rt-v2v. co nf and /var/l i b/vi rt-v2v/vi rt-v2v. d b. The former now
contains only local customizations, whereas the latter contains generic configuration which
is not intended to be customized. Prior to Red Hat Enterprise Linux 6.2, virt - v2v's -f flag
defaulted to /etc/vi rt-v2v. co nf. In Red Hat Enterprise Linux 6.2, it now defaults to
both /etc/vi rt-v2v. co nf and /var/l i b/vi rt-v2v/vi rt-v2v. d b. D ata from both
of these files is required during conversion.
This change has no impact for most users. If a machine is upgraded from Red Hat
Enterprise Linux 6.1 to Red Hat Enterprise Linux 6.2, the existing combined /etc/vi rtv2v. co nf will not be updated. If a user explicitly specifies -f /etc/vi rt-v2v. co nf on
the command line, the behavior will be identical to the one prior to update. If the user does
20
not specify the -f command line option, the configuration will use both /etc/vi rtv2v. co nf and /var/l i b/vi rt-v2v/vi rt-v2v. d b, with the former taking precedence.
However, a freshly-installed Red Hat Enterprise Linux 6.2 machine with a default
configuration no longer has all required data in /etc/vi rt-v2v. co nf. If the user
explicitly specifies -f /etc/vi rt-v2v. co nf on the command line, virt - v2v will not be
able to enable virt io support for any guests.
To work around this issue, do use the -f command line option, as this defaults to using
both configuration files. If the -f command line option is used, it must be specified twice:
first for /etc/vi rt-v2v. co nf and second for /var/l i b/vi rt-v2v/vi rt-v2v. co nf.
If the virt - v2v command line cannot be altered, the /etc/vi rt-v2v. co nf file must
contain a combined configuration file. This can be copied from a Red Hat Enterprise Linux
6.1 system, or created by copying all configuration elements from /var/l i b/vi rtv2v/vi rt-v2v. d b to /etc/vi rt-v2v. co nf.
vi rt-v2v co mp o n en t , B Z #6 1809 1
The virt - v2v utility is able to convert guests running on an ESX server. However, if an ESX
guest has a disk with a snapshot, the snapshot must be on the same datastore as the
underlying disk storage. If the snapshot and the underlying storage are on different
datastores, virt - v2v will report a 404 error while trying to retrieve the storage.
vi rt-v2v co mp o n en t , B Z #6 78232
The VMware Tools application on Microsoft Windows is unable to disable itself when it
detects that it is no longer running on a VMware platform. Consequently, converting a
Microsoft Windows guest from VMware ESX, which has VMware Tools installed, will result in
errors. These errors usually manifest as error messages on start-up, and a " Stop Error"
(also known as a BSOD ) when shutting down the guest. To work around this issue,
uninstall VMware Tools on Microsoft Windows guests prior to conversion.
spi ce-cl i ent co mp o n en t
Sound recording only works when there is no application accessing the recording device
at the client start-up.
2.5. St orage and File Syst ems
d evi ce-mapper-mul ti path co mp o n en t
Multipath's q ueue_wi tho ut_d aemo n yes default option queues I/O even though all
iSCSI links have been disconnected when the system is shut down, which causes LVM to
become unresponsive when scanning all block devices. As a result, the system cannot be
shut down. To work around this issue, add the following line into the d efaul ts section of
/etc/mul ti path. co nf:
queue_without_daemon no
i ni tscri pts co mp o n en t
If the /etc/fstab file contains an NFS mount entry that has the file system check (f sck)
enabled, the n et f s service responsible for mounting and unmounting NFS file systems
initializes the file system check. Because NFS is not a block-level file system, this operation
fails, and subsequently also fails the system boot itself. To work around this problem,
disable the file system check by setting the sixth vaule for NFS mount entries to 0 .
21
i scsi -i ni ti ato r-uti l s co mp o n en t , B Z #739 84 3
iSCSI discovery via a TOE (TCP Offload Engine) interface fails when the i scsi ad m -m
i face has never been executed. This is due to the i scsi ad m -m d i sco very command
not checking interface settings while the i scsi ad m -m i face does. To work around this
issue, run the i scsi ad m -m i face command at least once after installing the iscsiinitiatio-utils package. Once the interface setting is updated, discoveries are performed with
no errors.
Attempting to create/extend a storage domain on/with a device that exposes a block size
different than 512 bytes such create/extend request to fail. To work around this issue, the
storage must be configured to expose a block size of 512 bytes.
kernel co mp o n en t , B Z #6 06 26 0
The NFSv4 server in Red Hat Enterprise Linux 6 currently allows clients to mount using
UD P and advertises NFSv4 over UD P with rp cb in d . However, this configuration is not
supported by Red Hat and violates the RFC 3530 standard.
l vm2 co mp o n en t
The d racu t utility currently only supports one FiberChannel over Ethernet (FCoE)
connection to be used to boot from the root device. Consequently, booting from a root
device that spans multiple FCoE devices (for example, using RAID , LVM or similar
techniques) is not possible.
lvm2 component
The pvmo ve command cannot currently be used to move mirror devices. However, it is
possible to move mirror devices by issuing a sequence of two commands. For mirror
images, add a new image on the destination PV and then remove the mirror image on the
source PV:
~]$ l vco nvert -m + 1 <vg /l v> <new P V>
~]$ l vco nvert -m -1 <vg /l v> <o l d P V>
Mirror logs can be handled in a similar fashion:
~]$ l vco nvert --mi rro rl o g co re <vg /l v>
~]$ l vco nvert --mi rro rl o g d i sk <vg /l v> <new P V>
or
~]$ l vco nvert --mi rro rl o g mi rro red <vg /l v> <new P V>
~]$ l vco nvert --mi rro rl o g d i sk <vg /l v> <o l d P V>
2.6. Net working
Netwo rkManag er co mp o n en t
To ensure that RFC3442-standard classless static routes provided by a D HCP server are
processed correctly when using NetworkManager, the following lines should be placed into
the /etc/d hcl i ent. co nf file or, if using per-interface D HCP options, the
/etc/d hcl i ent-<i fname>. co nf file:
22
option rfc3442-classless-static-routes code 121 = array of
unsigned integer 8;
option ms-classless-static-routes code 249 = array of unsigned
integer 8;
also request rfc3442-classless-static-routes;
also request ms-classless-static-routes;
The above lines will ensure that RFC3442 classless static routes are requested from the
D HCP server, and that they are properly processed by NetworkManager.
i pruti l s co mp o n en t
Users of the IBM PCI-E Gen2 6GB SAS RAD I adapter (FC 5913) in Red Hat Enterprise Linux
6.2 may encounter the following issues:
Updating firmware on a storage drawer that is connected to the adapter mentioned
above using the i prco nfi g command fails.
Attempting to change the asymmetric access for an array results in a failure.
Additionally, not specifying asymmetric access as an option to the i prco nfi g
command results in a failure as well.
2.7. Clust ering
co ro sync co mp o n en t , B Z #7224 6 9
A double ring failure results in the spinning of the corosync process. Also, because D LM
relies on SCTP, which is non-functional, many features of the cluster software that rely on
D LM do not work properly.
l uci co mp o n en t , B Z #6 1589 8
l uci will not function with Red Hat Enterprise Linux 5 clusters unless each cluster node
has ri cci version 0.12.2-14
2.8. Aut hent icat ion
Id en t it y Man ag emen t co mp o n en t
When transitioning to a fully supported Identity Management version in Red Hat Enterprise
Linux 6.2, uninstall any previous beta version of Identity Management or Technology
Preview parts of Red Hat Enterprise Identity (IPA) available in the Red Hat Enterprise Linux
6.1 Technology Preview and install Identity Management again.
When an Identity Management server is installed with a custom hostname that is not
resolvable, the i pa-server-i nstal l command should add a record to the static
hostname lookup table in /etc/ho sts and enable further configuration of Identity
Management integrated services. However, a record is not added to /etc/ho sts when an
IP address is passed as an CLI option and not interactively. Consequently, Identity
Management installation fails because integrated services that are being configured expect
the Identity Management server hostname to be resolvable. To work around this issue,
complete one of the following:
23
Run the i pa-server-i nstal l without the --i p-ad d ress option and pass the IP
address interactively.
Add a record to /etc/ho sts before the installation is started. The record should
contain the Identity Management server IP address and its full hostname (the ho sts(5)
man page specifies the record format).
As a result, the Identity Management server can be installed with a custom hostname that is
not resolvable.
sssd co mp o n en t , B Z #7509 22
Upgrading SSSD from the version provided in Red Hat Enterprise Linux 6.1 to the version
shipped with Red Hat Enterprise Linux 6.2 may fail due to a bug in the dependent library
l i bl d b. This failure occurs when the SSSD cache contains internal entries whose
distinguished name contains the \, character sequence. The most likely example of this is
for an invalid memberUID entry to appear in an LD AP group of the form:
memberUID: user1,user2
memberUID is a multi-valued attribute and should not have multiple users in the same
attribute.
If the upgrade issue occurs, identifiable by the following debug log message:
(Wed Nov 2 15:18:21 2011) [sssd] [ldb] (0): A transaction is still
active in
ldb context [0xaa0460] on /var/lib/sss/db/cache_<DOMAIN>.ldb
remove the /var/l i b/sss/d b/cache_<D O MAIN>. l d b file and restart SSSD .
Removing the
/var/l i b/sss/d b/cache_<D O MAIN>. l d b
file
Removing the /var/l i b/sss/d b/cache_<D O MAIN>. l d b file purges the cache of
all entries (including cached credentials).
sssd co mp o n en t , B Z #751314
When a group contains certain incorrect multi-valued memberUID values, SSSD fails to
sanitize the values properly. The memberUID value should only contain one username. As
a result, SSSD creates incorrect users, using the broken memberUID values as their
usernames. This, for example, causes problems during cache indexing.
Id en t it y Man ag emen t co mp o n en t , B Z #75059 6
Two Identity Management servers, both with a CA (Certificate Authority) installed, use two
replication replication agreements. One is for user, group, host, and other related data.
Another replication agreement is established between the CA instances installed on the
servers. If the CA replication agreement is broken, the Identity Management data is still
shared between the two servers, however, because there is no replication agreement
between the two CAs, issuing a certificate on one server will cause the other server to not
recognize that certificate, and vice versa.
24
The Identity Management (ipa) package cannot be build with a 6 C o mputeNo d e
subscription.
On the configuration page of the Identity Management WebUI, if the User search field is left
blank, and the search button is clicked, an internal error is returned.
sssd co mp o n en t , B Z #74 126 4
Active D irectory performs certain LD AP referral-chasing that is incompatible with the referral
mechanism included in the o p en ld ap libraries. Notably, Active D irectory sometimes
attempts to return a referral on an LD AP bind attempt, which used to cause a hang, and is
now denied by the o p en ld ap libraries. As a result, SSSD may suffer from performance
issues and occasional failures resulting in missing information.
To work around this issue, disable referral-chasing by setting the following parameter in the
[d o mai n/D O MAINNAME] section of the /etc/sssd /sssd . co nf file:
ldap_referrals = false
2.9. Devices
The Red Hat Enterprise Linux 6.2 Emulex FC (lpfc) driver does not support firmware
downloads for LPe1600x 16 Gbit/s Fibre Channel adapters. Please consult your OEM for
instructions on how to download new firmware on these Fibre Channel adapters.
iSCSI and FCoE boot support on Broadcom devices is not included in Red Hat Enterprise
Linux 6.2. These two new features, which have been added to the bnx2i and bnx2fc
Broadcom drivers in Red Hat Enterprise Linux 6.2, remain a Technology Preview until
further notice.
kexec-to o l s co mp o n en t
Starting with Red Hat Enterprise Linux 6.0 and later, kexec kdump supports dumping core
to the Brtfs file system. However, note that because the f in d f s utility in b u syb o x does not
support Btrfs yet, UUID/LABEL resolving is not functional. Avoid using the UUID/LABEL
syntax when dumping core to Btrfs file systems.
kexec-to o l s co mp o n en t , B Z #6 00575
The persistent naming of devices that are dynamically discovered in a system is a large
problem that exists both in and outside of kdump. Normally, devices are detected in the
same order, which leads to consistent naming. In cases where devices are not detected in
the same order, device abstraction layers (for example, LVM) essentially resolve the issue,
through the use of metadata stored on the devices to create consistency. In the rare cases
where no such abstraction layer is in use, and renaming devices causes issues with
kdump, it is recommended that devices be referred to by disk label or UUID in
kd ump. co nf.
trace-cmd co mp o n en t
The trace-cmd service does start on 64-bit PowerPC and IBM System z systems because
the sys_enter and sys_exi t events do not get enabled on the aforementioned systems.
25
trace-cmd co mp o n en t
t race- cmd 's subcommand, repo rt, does not work on IBM System z systems. This is due
to the fact that the CONFIG_FTRACE_SYSCALLS parameter is not set on IBM System z
systems.
tuned co mp o n en t
Red Hat Enterprise Linux 6.1 and later enter processor power-saving states more
aggressively. This may result in a small performance penalty on certain workloads. This
functionality may be disabled at boot time by passing the intel_idle.max_cstate=0
parameter, or at run time by using the cp u _d ma_lat en cy p m_q o s interface.
l i bfpri nt co mp o n en t
Red Hat Enterprise Linux 6 only has support for the first revision of the UPEK Touchstrip
fingerprint reader (USB ID 147e:2016). Attempting to use a second revision device may
cause the fingerprint reader daemon to crash. The following command returns the version
of the device being used in an individual machine:
~]$ l susb -v -d 14 7e: 20 16 | g rep bcd D evi ce
The Emulex Fibre Channel/Fibre Channel-over-Ethernet (FCoE) driver in Red Hat Enterprise
Linux 6 does not support D H-CHAP authentication. D H-CHAP authentication provides
secure access between hosts and mass storage in Fibre-Channel and FCoE SANs in
compliance with the FC-SP specification. Note, however that the Emulex driver (l pfc) does
support D H-CHAP authentication on Red Hat Enterprise Linux 5, from version 5.4. Future
Red Hat Enterprise Linux 6 releases may include D H-CHAP authentication.
The recommended minimum HBA firmware revision for use with the mpt2sas driver is
" Phase 5 firmware" (that is, with version number in the form 0 5. xx. xx. xx). Note that
following this recommendation is especially important on complex SAS configurations
involving multiple SAS expanders.
2.10. Kernel
When booted off a q l a4 xxx device, upgrading from Red Hat Enterprise Linux 6.1 to Red
Hat Enterprise Linux 6.2 will cause the system to fail to boot up with the new kernel. There
are various ways to work around this issue:
1. You have upgraded to Red Hat Enterprise Linux 6.2 and want the q l a4 xxx device
firmware to manage discovering and logging in to iSCSI targets.
a. Boot up the system with the Red Hat Enterprise Linux 6.1 kernel.
b. D isable SysfsBoot for the q l a4 xxx device:
~]# echo "o pti o ns q l a4 xxx q l 4 xd i sabl esysfsbo o t= 1" >>
/etc/mo d pro be. d /q l a4 xxx. co nf
26
c. Rebuild initramfs for the Red Hat Enterprise Linux 6.2 kernel by re-installing
the kernel:
~]# yum -y rei nstal l kernel
2. You have not upgraded to Red Hat Enterprise Linux 6.2 and want the q l a4 xxx
device firmware to manage discovering and logging in to iSCSI targets.
b. D isable SysfsBoot for the q l a4 xxx device:
~]# echo "o pti o ns q l a4 xxx q l 4 xd i sabl esysfsbo o t= 1" >>
/etc/mo d pro be. d /q l a4 xxx. co nf
c. Proceed with the upgrade to Red Hat Enterprise Linux 6.2.
3. You have upgraded to Red Hat Enterprise Linux 6.2 and want to use o p en - iscsi to
manage the q l a4 xxx discovery and login process.
b. Install the iscsi-initiator-utils and dracut-network packages:
~]# yum i nstal l -y d racut-netwo rk i scsi -i ni ti ato ruti l s
c. Rebuild initramfs for the Red Hat Enterprise Linux 6.2 kernel by re-installing
the kernel:
~]# yum -y rei nstal l kernel
d. Add the i scsi _fi rmware kernel option into GRUB's configuration:
/bo o t/g rub/menu. l st (for LILO, the Linux Loader, modify the
/etc/l i l o . co nf file).
4. You have not upgraded to Red Hat Enterprise Linux 6.2 and want to use o p en iscsi to manage the q l a4 xxx discovery and login process.
a. Install the iscsi-initiator-utils and dracut-network packages:
~]# yum i nstal l -y d racut-netwo rk i scsi -i ni ti ato ruti l s
b. Proceed with the upgrade to Red Hat Enterprise Linux 6.2.
c. Add the i scsi _fi rmware kernel option into GRUB's configuration:
/bo o t/g rub/menu. l st (for LILO, the Linux Loader, modify the
/etc/l i l o . co nf file).
kernel co mp o n en t , B Z #6 79 26 2
In Red Hat Enterprise Linux 6.2, due to security concerns, addresses in /pro c/kal l syms
and /pro c/mo d ul es show all zeros when accessed by a non-root user.
Red Hat Enterprise Linux 6.1 PCI-Express Adapters may fail to configure on October 2011
27
Red Hat Enterprise Linux 6.1 PCI-Express Adapters may fail to configure on October 2011
GA IBM Power 7 systems. For more information, refer to
https://access.redhat.com/site/solutions/66231.
Superfluous information is displayed on the console due to a correctable machine check
error occurring. This information can be safely ignored by the user. Machine check error
reporting can be disabled by using the no mce kernel boot option, which disables machine
check error reporting, or the mce= i g no re_ce kernel boot option, which disables
correctable machine check error reporting.
The order in which PCI devices are scanned may change from one major Red Hat
Enterprise Linux release to another. This may result in device names changing, for example,
when upgrading from Red Hat Enterprise Linux 5 to 6. You must confirm that a device you
refer to during installation, is the intended device.
One way to assure the correctness of device names is to, in some configurations, determine
the mapping from the controller name to the controller's PCI address in the older release,
and then compare this to the mapping in the newer release, to ensure that the device name
is as expected.
The following is an example from /var/log/messages:
kernel: cciss0: <0x3230> at PCI 0000:1f:00.0 IRQ 71 using DAC
…
kernel: cciss1: <0x3230> at PCI 0000:02:00.0 IRQ 75 using DAC
If the device name is incorrect, add the pci=bfsort parameter to the kernel command line,
and check again.
Enabling CHAP (Challenge-Handshake Authentication Protocol) on an iSCSI target for the
be2i scsi driver results in kernel panic. To work around this issue, disable CHAP on the
iSCSI target.
Newer VPD (Vital Product D ata) blocks can exceed the size the tg 3 driver normally
handles. As a result, some of the routines that operate on the VPD blocks may fail. For
example, the nvram test fails when running the ethto o l –t command on BCM5719 and
BCM5720 Ethernet Controllers.
Running the ethto o l -t command on BCM5720 Ethernet controllers causes a loopback
test failure because the tg 3 driver does not wait long enough for a link.
The tg 3 driver in Red Hat Enterprise Linux 6.2 does not include support for Jumbo frames
and TSO (TCP Segmentation Offloading) on BCM5719 Ethernet controllers. As a result, the
following error message is returned when attempting to configure, for example, Jumbo
frames:
SIOCSIFMTU: Invalid argument
28
The default interrupt configuration for the Emulex LPFC FC/FCoE driver has changed from
INT-X to MSI-X. This is reflected by the lpfc_use_msi module parameter (in
/sys/cl ass/scsi _ho st/ho st#/l pfc_use_msi ) being set to 2 by default, instead of
the previous 0 .
Two issues provide motivation for this change: SR-IOV capability only works with the MSI-X
interrupt mode, and certain recent platforms only support MSI or MSI-X.
However, the change to the LPFC default interrupt mode can bring out host problems where
MSI/MSI-X support is not fully functional. Other host problems can exist when running in
the INT-X mode.
If any of the following symptoms occur after upgrading to, or installing Red Hat Enterprise
Linux 6.2 with an Emulex LPFC adapter in the system, change the value of the l pfc module
parameter, lpfc_use_msi, to 0 :
The initialization or attachment of the l pfc adapter may fail with mailbox errors. As a
result, the l pfc adapter is not configured on the system. The following message appear
in /var/l o g /messag es:
lpfc 0000:04:08.0: 0:0:0443 Adapter failed to set maximum DMA
length mbxStatus x0
lpfc 0000:04:08.0: 0:0446 Adapter failed to init (255), mbxCmd
x9 CFG_RING, mbxStatus x0, ring 0
lpfc 0000:04:08.0: 0:1477 Failed to set up hba
ACPI: PCI interrupt for device 0000:04:08.0 disabled
While the l pfc adapter is operating, it may fail with mailbox errors, resulting in the
inability to access certain devices. The following message appear in
/var/l o g /messag es:
lpfc 0000:0d:00.0: 0:0310 Mailbox command x5 timeout Data: x0
x700 xffff81039ddd0a00
lpfc 0000:0d:00.0: 0:0345 Resetting board due to mailbox
timeout
lpfc 0000:0d:00.0: 0:(0):2530 Mailbox command x23 cannot issue
Data: xd00 x2
Performing a warm reboot causes any subsequent boots to halt or stop because the
BIOS is detecting the l pfc adapter. The system BIOS logs the following messages:
Installing Emulex BIOS ......
Bringing the Link up, Please wait...
Bringing the Link up, Please wait...
The minimum firmware version for NIC adapters managed by netxen_ni c is 4.0.550. This
includes the boot firmware which is flashed in option ROM on the adapter itself.
The kdump kernel occasionally panics on a D ELL PowerEdge R810 system with the i686
architecture.
29
Running the LTP (Linux Testing Project) cgroup test suite on certain AMD systems causes
NMI Watchdog to detect a hard LOCKUP and cause kernel panic.
kernel co mp o n en t , B Z #6 83012
High stress on 64-bit IBM POWER series machines prevents kdump from successfully
capturing the vmco re. As a result, the second kernel is not loaded, and the system
becomes unresponsive.
Loading and unloading ed ac modules in a loop on certain HP systems may cause kernel
panic.
If the storage driver is loaded before mul ti pathd is started, I/O errors occur. To work
around this issue, use one of the following kernel command line parameters which are
consumed by d racu t :
rdloaddriver=scsi_dh_emc
or
rdloaddriver=scsi_dh_rdac
or
rdloaddriver=scsi_dh_emc,scsi_dh_rdac
The above command line parameters will cause the scsi _d h module to load before
mu lt ip at h is started.
Triggering kdump to capture a vmco re through the network using the Intel 82575EB
ethernet device in a 32 bit environment causes the networking driver to not function
properly in the kdump kernel, and prevent the vmco re from being captured.
kernel co mp o n en t , B Z #701857
Attempting to hibernate certain laptops, including Lenovo ThinkPad T400 and Lenovo
ThinkPad X200, can cause kernel panic.
On a system configured with an HP Smart Array controller, during the kdump process, the
capturing kernel can become unresponsive and the following error message is logged:
NMI: IOCK error (debug interrupt?)
As a workaround, the system can be configured by blacklisting the hpsa module in a
configuration file such as /etc/mo d ul es. d /bl ackl i st. co nf, and specifying the
d i sk_ti meo ut option so that saving the vmco re over the network is possible.
kernel component
30
Memory Type Range Register (MTRR) setup on some hyperthreaded machines may be
incorrect following a suspend/resume cycle. This can cause graphics performance
(specifically, scrolling) to slow considerably after a suspend/resume cycle.
To work around this issue, disable and then re-enable the hyperthreaded sibling CPUs
around suspend/resume, for example:
# !/bin/sh
# Disable hyper-threading processor cores on suspend and
hibernate, re-enable
# on resume.
# This file goes into /etc/pm/sleep.d/
c ase $1 in

hibernate|suspend)

echo 0 > /sys/devices/system/cpu/cpu1/online

;;

thaw|resume)
;;

e sac
In Red Hat Enterprise Linux 6.2, nmi _watchd o g registers with the perf subsystem.
Consequently, during boot, the perf subsystem grabs control of the performance counter
registers, blocking OProfile from working. To resolve this, either boot with the
nmi _watchd o g = 0 kernel parameter set, or run the following command to disable it at run
time:
echo 0 > /pro c/sys/kernel /nmi _watchd o g
To re-enable nmi -watchd o g , use the following command
kernel co mp o n en t , B Z #6 039 11
D ue to the way f t race works when modifying the code during start-up, the NMI watchdog
causes too much noise and f t race can not find a quiet period to instrument the code.
Consequently, machines with more than 512 CPUs will encounter issues with the NMI
watchdog. Such issues will return error messages similar to BUG : NMI Watchd o g
d etected LO C KUP and have either ftrace_mo d i fy_co d e or i pi _hand l er in the
backtrace. To work around this issue, disable NMI watchdog by setting the
nmi _watchd o g = 0 kernel parameter, or using the following command at run time:
31
On 64-bit POWER systems the EHEA NIC driver will fail when attempting to dump a vmco re
via NFS. To work around this issue, utilize other kdump facilities, for example dumping to
the local file system, or dumping over SSH.
A BIOS emulated floppy disk might cause the installation or kernel boot process to hang.
To avoid this, disable emulated floppy disk support in the BIOS.
The preferred method to enable nmi_watchdog on 32-bit x86 systems is to use either
nmi_watchdog=2 or nmi_watchdog=lapic parameters. The parameter
nmi_watchdog=1 is not supported.
kernel component
The kernel parameter, pci = no i o api cq ui rk, is required when installing the 32-bit variant
of Red Hat Enterprise Linux 6 on HP xw9300 workstations. Note that the parameter change
is not required when installing the 64-bit variant.
2.11. Deskt op
P ackag eKi t co mp o n en t
Installing or updating packages signed with a GPG key not known or accessible to the
system may throw Packag eK it in a loop of password dialogues, repeatedly asking the
user to confirm the installation of these packages from an untrusted source.
This issue may occur if additional third party repositories are configured on the system for
which the GPG public key is not imported into the RPM database, nor specified in the
respective Yum repository configuration. Official Red Hat Enterprise Linux repositories and
packages should not be affected by this issue.
To work around this issue, import the respective GPG public key into the RPM database by
executing the following command as root:
~]# rpm --i mpo rt <file_containing_the_public_key>
g no me-po wer-manag er co mp o n en t , B Z #74 8704
After resuming the system or re-enabling the display, an icon may appear in the notification
area with a tooltip that reads:
Session active, not inhibited, screen idle. If you see this test,
your display server is broken and you should notify your
distributor. Please see
http://blogs.gnome.org/hughsie/2009/08/17/gnome-power-managerand-blanking-removal-of-bodges/ for more information.
This error message is incorrect, has no effect on the system, and can be safely ignored.
acro read co mp o n en t
Running a AMD 64 system without the sssd-client.i686 package installed, which uses SSSD
for getting information about users, causes acro read to fail to start. To work around this
issue, manually install the sssd-client.i686 package.
32
With newer kernels, such as the kernel shipped in Red Hat Enterprise Linux 6.1, Nouveau
has corrected the Transition Minimized D ifferential Signaling (TMD S) bandwidth limits for
pre-G80 nVidia chipsets. Consequently, the resolution auto-detected by X for some
monitors may differ from that used in Red Hat Enterprise Linux 6.0.
fpri ntd co mp o n en t
When enabled, fingerprint authentication is the default authentication method to unlock a
workstation, even if the fingerprint reader device is not accessible. However, after a 30
second wait, password authentication will become available.
evo l uti o n co mp o n en t
Evolution's IMAP backend only refreshes folder contents under the following
circumstances: when the user switches into or out of a folder, when the auto-refresh period
expires, or when the user manually refreshes a folder (that is, using the menu item Fo ld er
→ R ef resh ). Consequently, when replying to a message in the Sent folder, the new
message does not immediately appear in the Sent folder. To see the message, force a
refresh using one of the methods describe above.
The clock applet in the GNOME panel has a default location of Boston, USA. Additional
locations are added via the applet's preferences dialog. Additionally, to change the default
location, left-click the applet, hover over the desired location in the Lo cati o ns section,
and click the Set. . . button that appears.
xo rg -x11-server co mp o n en t , B Z #6 2316 9
In some multi-monitor configurations (for example, dual monitors with both rotated), the
cursor confinement code produces incorrect results. For example, the cursor may be
permitted to disappear off the screen when it should not, or be prevented from entering
some areas where it should be allowed to go. Currently, the only workaround for this issue
is to disable monitor rotation.
33
Chapter 3. New Packages
3.1. RHEA-2011:1627 — new packages: bt parser
New btparser packages are now available for Red Hat Enterprise Linux 6.
The btparser is a backtrace parser and analyzer library, which works with backtraces produced by
the GNU Project D ebugger. It can parse a text file with a backtrace to a tree of C structures, allowing
to analyze the threads and frames of the backtrace and process them.
This enhancement update adds the btparser package to Red Hat Enterprise Linux 6. (BZ #708038)
All users who require btparser are advised to install this new package.
3.2. RHEA-2011:1729 — new package: fcoe-t arget -ut ils
A new fcoe-target-utils package is now available as a Technology Preview for Red Hat Enterprise
Linux 6.
The fcoe-target-utils package is a command line interface for configuring FCoE LUNs (Fibre Channel
over Ethernet Logical Unit Numbers) and backstores.
This enhancement update adds a new fcoe-target-utils package to Red Hat Enterprise Linux 6 as a
Technology Preview. (BZ #724035)
More information about Red Hat Technology Previews is available here:
https://access.redhat.com/support/offerings/techpreview/
All users who want to use the fcoe-target-utils Technology Preview should install this newly-released
package, which adds this enhancement.
3.3. RHEA-2011:1653 — new package: libunist ring
A new libunistring package is now available for Red Hat Enterprise Linux 6.
This portable C library implements the UTF-8, UTF-16 and UTF-32 Unicode string types, together with
functions for character processing (names, classifications, and properties) and functions for string
processing (iteration, formatted output, width, word breaks, line breaks, normalization, case folding,
and regular expressions).
This enhancement update adds the libunistring package to Red Hat Enterprise Linux 6. The
libunistring package has been added as a dependency for the System Security Services D aemon
(SSSD ) in order to process internationalized HBAC rules on FreeIPA servers. (BZ #726463)
All users who require libunistring should install this new package.
3.4 . RHEA-2011:1636 — new package: libvirt -qmf
A new libvirt-qmf package is now available for Red Hat Enterprise Linux 6.
The libvirt-qmf package contains a daemon to allow remote control of the libvirt API through the Qpid
Management Framework (QMF).
34
⁠Chapt er 3. New Packages
Enhancement
B Z #6 8819 4
With this update, the libvirt-qmf package obsoletes the libvirt-qpid package, which provided
similar functionality. The new package uses the matahari library to provide an interface
consistent with that of other Matahari agents.
Note: After installation, it is advisable to convert existing QMF consoles, that previously
connected to libvirt-qpid, to use libvirt-qmf as their interface. Also, when creating a new
QMF console, it is recommended to use libvirt-qmf to communicate with libvirt.
All users requiring libvirt-qmf are advised to install this new package, which adds this enhancement.
3.5. RHEA-2011:1609 — new package: libvirt -snmp
A new libvirt-snmp package is now available for Red Hat Enterprise Linux 6.
The new package libvirt-snmp allows to control and monitor libvirt virtualization management tool by
the way of the SNMP protocol. SNMP is an Internet-standard protocol for managing devices on IP
networks, its modular structure allows it to be used in new fields and this new package allow
virtualization management by bridging the SNMP protocol and the libvirt API.
This enhancement update adds the libvirt-snmp package to Red Hat Enterprise Linux 6.
(BZ #642556, BZ #706114)
All users who require libvert-snmp are advised to install this new package.
3.6. RHEA-2011:1714 — new packages: mesa-libGLw
New mesa-libGLw packages are now available for Red Hat Enterprise Linux 6.
The mesa-libGLw packages provide an Xt/Motif OpenGL D rawing Area Widget.
This enhancement update adds the esa-libGLw package to Red Hat Enterprise Linux 6. (BZ #729243)
All users who require mesa-libGLw are advised to install these new packages.
3.7. RHBA-2011:1628 — new package: openslp
A new openslp package is now available for Red Hat Enterprise Linux 6.
OpenSLP is an open source implementation of the Service Location Protocol (SLP) which is an
Internet Engineering Task Force (IETF) standards track protocol and provides a framework to allow
networking applications to discover the existence, location, and configuration of networked services
in enterprise networks.
This enhancement update adds the openslp package to Red Hat Enterprise Linux 6. (BZ #518286)
All users who require OpenSLP are advised to install this new package.
3.8. RHEA-2011:154 5 — new package: passsync
A new passsync package is now available for Red Hat Enterprise Identity Replication.
35
PassSync is a Windows service that runs on every domain controller. This intercepts clear text
password updates and sends them to the directory server running on Red Hat Enterprise Linux.
PassSync works together with the Windows Synchronization (WinSync) feature of the directory
server to keep passwords synchronized between Active D irectory (AD ) and the directory server
running on Red Hat Enterprise Linux.
This enhancement update adds the passsync package to Red Hat Enterprise Identity Replication
which is an add-on for Red Hat Enterprise Linux 6. (BZ #690622)
Users who require password synchronization together with WinSync are advised to install this new
package.
3.9. RHEA-2011:1731 — new package: perl-T est -Int er
A new perl-Test-Inter package is now available for Red Hat Enterprise Linux 6.
The Test::Inter module provides a framework for writing interactive test scripts in Perl. It is inspired by
the Test::More framework.
This enhancement update adds the perl-Test-Inter package to Red Hat Enterprise Linux 6.
(BZ #705752)
All users who require perl-Test-Inter should install this new package.
3.10. RHEA-2011:1725 — new package: pyt hon-configshell
A new python-configshell package is now available for Red Hat Enterprise Linux 6.
The python-configshell package provides a library for implementing configuration command line
interfaces for the Python programming environment.
This enhancement update adds the python-configshell package to Red Hat Enterprise Linux 6 as
part of the Technology Preview of Fibre Channel over Ethernet (FCoE) target mode. (BZ #726774)
Important
This package is provided as a dependency of the fcoe-target-utils package. It is recommended
to install it only as a prerequisite for running fcoe-target-utils, and not to use it independently.
All users who want to use the Technology Preview of Fibre Channel over Ethernet target mode should
install this newly-released package, which adds this enhancement.
3.11. RHEA-2011:1724 — new package: pyt hon-ipaddr
A new python-ipaddr package is now available for Red Hat Enterprise Linux 6.
The python-ipaddr package is a library for working with IPv4 and IPv6 addresses for the Python
programming environment.
This enhancement update adds the python-ipaddr package to Red Hat Enterprise Linux 6.
(BZ #726773)
This is being added as part of the Tech Preview of FCoE (Fibre Channel over Ethernet) target mode,
36
as a dependency of fcoe-target-utils. It is recommended to install this library only as a prerequisite for
running fcoe-target-utils, and it should not be used independently.
3.12. RHEA-2011:1728 — new package: pyt hon-rt slib
A new python-rtslib package is now available for Red Hat Enterprise Linux 6.
The python-rtslib package provides a library for interacting with storage target-related interfaces for
the Python programming environment.
This enhancement update adds the python-rtslib package to Red Hat Enterprise Linux 6 as part of
the Technology Preview of Fibre Channel over Ethernet (FCoE) target mode. (BZ #726778)
Important
3.13. RHEA-2011:1727 — new package: pyt hon-simpleparse
A new python-simpleparse package is now available for Red Hat Enterprise Linux 6.
The python-simpleparse package is a simple and fast parser generator for the Python programming
environment.
This enhancement update adds the python-simpleparse package to Red Hat Enterprise Linux 6 as
part of the Technology Preview of Fibre Channel over Ethernet (FCoE) target mode. (BZ #726776)
Important
3.14 . RHEA-2012:0022 — new package: pyt hon-suds
The python-suds package is now available for Red Hat Enterprise Linux 6 Server and Red Hat
Enterprise Linux High Performance Compute Node.
The python-suds package provides a lightweight implementation of the Simple Object Access
Protocol (SOAP) for the Python programming environment.
37
This enhancement update adds the python-suds package to Red Hat Enterprise Linux 6 Server and
Red Hat Enterprise Linux High Performance Compute Node. Previously it was only available with the
Red Hat Enterprise Linux High Availability and Red Hat Enterprise Linux Resilient Storage add-on
products. (BZ #765896)
All users who require python-suds are advised to install this new package.
3.15. RHEA-2011:1622 — new package: pyt hon-suds
A new python-suds package is now available for Red Hat Enterprise Linux 6.
The python-suds package provides a lightweight implementation of the Simple Object Access
Protocol (SOAP) for the Python programming environment.
This enhancement update adds the python-suds package to Red Hat Enterprise Linux 6.
(BZ #681835)
All users who require python-suds are advised to install this new package.
3.16. RHEA-2011:1726 — new package: pyt hon-urwid
A new python-urwid package is now available for Red Hat Enterprise Linux 6.
The python-urwid package provides a library for development of text user interface applications in
the Python programming environment.
This enhancement update adds the python-urwid package to Red Hat Enterprise Linux 6 as part of
the Technology Preview of Fibre Channel over Ethernet (FCoE) target mode. (BZ #726775)
Important
3.17. RHEA-2011:1590 — new package: sanlock
A new sanlock package is now available for Red Hat Enterprise Linux 6.
The sanlock package provides a shared disk lock manager that uses disk paxos to manage leases
on shared storage. Hosts connected to a common Storage Area Network (SAN) can use sanlock to
synchronize the access to the shared disks. Both libvirt and vdsm can use sanlock to synchronize
access to shared virtual machine (VM) images.
This enhancement update adds the sanlock package to Red Hat Enterprise Linux 6. (BZ #658971)
All users who require sanlock are advised to install this new package.
3.18. RHEA-2011:164 0 — new packages: sgabios
38
New sgabios packages are now available for Red Hat Enterprise Linux 6.
The sgabios packages provide the Google Serial Graphics Adapter BIOS (SGABIOS) for legacy 86bit software to communicate with an attached serial console.
This enhancement update adds the new sgabios packages to Red Hat Enterprise Linux 6.
(BZ #725832)
All users who require SGABIOS are advised to install these new packages.
3.19. RHEA-2011:1610 — new packages: spice-gt k
New spice-gtk packages are now available for Red Hat Enterprise Linux 6.
spice-gtk is a GTK2 widget for SPICE clients. Both virt-manager and virt-viewer can make use of this
widget to access virtual machines using the SPICE protocol.
This enhancement update adds spice-gtk to Red Hat Enterprise Linux 6. (BZ #708417)
All users of SPICE clients such as virt-manager or virt-viewer are advised to install these new
packages.
3.20. RHEA-2011:1633 — new package: t boot
A new tboot package is now available for Red Hat Enterprise Linux 6.
The tboot package provides Trusted Boot (tboot), an open source pre- kernel/VMM module, that uses
Intel Trusted Execution Technology (Intel TXT) to initialize the launch of a operating system kernels
and virtual machines.
This enhancement update adds tboot to Red Hat Enterprise Linux 6. (BZ #691617)
All users wishing to evaluate trusted boot capabilities are advised to install this new package.
3.21. RHEA-2011:1752 — new package: vios-proxy
A new vios-proxy package is now available as a Technology Preview for Red Hat Enterprise Linux 6.
The vios-proxy program suite creates a network tunnel between a server in the QEMU host and a
client in a QEMU guest. The proxied server and client programs open normal TCP network ports on
localhost and the vios-proxy tunnel connects them using QEMU virtioserial channels.
This enhancement update adds a new vios-proxy package to Red Hat Enterprise Linux 6 as a
Technology Preview. (BZ #721119)
More information about Red Hat Technology Previews is available here:
https://access.redhat.com/support/offerings/techpreview/
All users who want to use the vios-proxy Technology Preview should install this newly-released
package, which adds this enhancement.
3.22. RHEA-2011:1757 — new package: virt -who
A new virt-who package is now available for Red Hat Enterprise Linux 6.
39
The virt-who package provides an agent that collects information about virtual guests present in the
system and reports them to the Red Hat Subscription Manager tool.
This enhancement update adds the virt-who package to Red Hat Enterprise Linux 6. (BZ #725832)
All users are advised to install this new package.
3.23. RHEA-2011:1625 — new package: wdaemon
A new wdaemon package is now available for Red Hat Enterprise Linux 6.
The new wdaemon package contains a daemon to wrap input driver hotplugging in the X.Org
implementation of the X Window System server. The wdaemon package emulates virtual input devices
to avoid otherwise non-persistent configuration of Wacom tablets to persist across device removals.
This enhancement update adds the wdaemon package to Red Hat Enterprise Linux 6.
All users who require wdaemon should install this new package.
40
⁠Chapt er 4 . Package Updat es
Chapter 4. Package Updates
Important
The Red Hat Enterprise Linux 6 Technical Notes compilations for Red Hat Enterprise Linux 6.0,
6.1 and 6.2 have been republished.
Each compilation still lists all advisories comprising their respective GA release, including all
Fastrack advisories.
To more accurately represent the advisories released between minor updates of Red Hat
Enterprise Linux, however, some advisories released asynchronously between minor releases
have been relocated.
Previously, these asynchronously released advisories were published in the Technical Notes
for the most recent Red Hat Enterprise Linux minor upate. Asynchronous advisories released
after the release of Red Enterprise Linux 6.1 and before the release of Red Hat Enterprise Linux
6.2 were published in the Red Hat Enterprise Linux 6.2 Technical Notes, for example.
Most of these asynchronous advisories were concerned with, or even specific to, the then
extant Red Hat Enterprise Linux release, however.
With these republished Technical Notes, such advisories are now incorporated into the
Technical Notes for the Red Hat Enterprise Linux release they are associated with.
Future Red Hat Enterprise Linux Technical Notes will follow this pattern. On first publication a
Red Hat Enterprise Linux X.y Technical Notes compilation will include the advisories
comprising that release along with the Fastrack advisories for the release.
Upon the GA of the succeeding Red Hat Enterprise Linux release, the Red Hat Enterprise Linux
X.y Technical Notes compilation will be republished to include associated asynchronous
advisories released since Red Hat Enterprise Linux X.y GA up until the GA of the successive
release.
4 .1. 389-ds-base
4 .1.1. RHEA-2011:1711 — 389-ds-base bug fix and enhancement updat e
Updated 389-ds-base packages that fix several bugs and add various enhancements are now
available for Red Hat Enterprise Linux 6.
The 389 D irectory Server is an LD APv3 compliant server. The base packages include the Lightweight
D irectory Access Protocol (LD AP) server and command-line utilities for server administration.
Bug Fixe s
B Z #7204 58
If a server sent a response to an unbind request and the client simply closed the
connection, D irectory Server 8.2 logged " Netscape Portable Runtime error -5961 (TCP
connection reset by peer.)" .
B Z #752155
41
An incorrect SELinux context caused AVC errors in /var/log/audit/audit.log.
B Z #6 9 76 6 3, B Z #7006 6 5, B Z #711533, B Z #71124 1, B Z #726 136 , B Z #700215
A number of memory leaks and performance errors were fixed.
B Z #71126 6
The D S could not restart after a new object class was created which used the entryUSN
attribute.
B Z #71216 7
The ns-slapd process segfaulted if suffix referrals were enabled.
B Z #711513
A high volume of TCP traffic could cause the slapd process to quit responding to clients.
B Z #714 29 8
Attempting to delete a VLV index caused the server to hang.
B Z #720051
Connections to the D S by an RSA authentication server using simple paged results by
default would timeout.
B Z #735217
Running a simple paged search against a subtree with a host-based ACI would hang the
server.
B Z #7334 4 3
If the target attribute list for an ACI had syntax errors and more than five attributes, the
server crashed.
B Z #734 26 7
It was not possible to set account lockout policies after upgrading from RHD S 8.1.
B Z #7204 52
Adding an entry with an RD N containing a % caused the server to crash.
B Z #709 86 8
Only FIPS-supported ciphers can be used if the server is running in FIPS mode.
B Z #71126 5
It is possible to disable SSLv3 and only allow TLS.
B Z #713317, B Z #713318
If the changelog was encrypted and the certificate became corrupt, the server crashed.
B Z #7334 34
If the passwordisglobalpolicy attribute was enabled on a chained server, a secure
connection to the master failed.
42
B Z #714 310
If a chained database was replicated, the server could segfault.
B Z #6 9 4 571
Editing a replication agreement to use SASL/GSS-API failed with GSS-API errors.
B Z #74 26 11
In replication, a msgid may not be sent to the right thread, which caused " Bad parameter to
an LD AP routine" errors. This causes failures to propagate up and halt replication.
B Z #701057
Password changes were replicated among masters replication, but not to consumers.
B Z #71706 6
If an entry was modified on RHD S and the corresponding entry was deleted on the
Windows side, the sync operation attempts to use the wrong entry.
B Z #734 831
Some changes were not properly synced over to RHD S from Windows.
B Z #726 273
RHD S entries were not synced over to Windows if the user's CN had a comma.
B Z #718351
Intensive update loads on master servers could break the cache on the consumer, causing
it to crash.
B Z #6 9 9 4 58
Syncing a multi-valued attribute could delete all the other instances of that attribute when a
new value was added.
B Z #729 817
If a synced user subtree on Windows was deleted and then a user password was changed
on the RHD S, the D S would crash.
Enhance m e nt s
B Z #74 2382
The nsslapd-idlistscanlimit configuration attribute can be set dynamically, instead of
requiring a restart.
B Z #74 26 6 1
Separate resource limits can be set for paged searches, independent of resource limits for
regular searches.
B Z #7204 59
The sudo schema has been updated.
43
B Z #739 9 59
A new configuration attribute sets a different list of replicated attributes for a total update
versus an incremental update.
B Z #7334 4 0
A new configuration option allows the server to be started with an expired certificate.
B Z #7204 6 1
New TLS/SSL error messages have been added to the replication error log level.
Users are advised to upgrade to these updated 389-ds-base packages, which resolve these issues
and add these enhancements.
4 .1.2. RHBA-2012:004 9 — 389-ds-base bug fix updat e
Updated 389-ds-base packages that fix multiple bugs are now available for Red Hat Enterprise Linux
6.
The 389-ds-base packages provide 389 D irectory Server, which is an LD APv3 compliant server. The
base packages include the Lightweight D irectory Access Protocol (LD AP) server and command-line
utilities for server administration.
Bug Fixe s
B Z #7586 82
When the LD AP server was under a heavy load, and the network was congested, client
connections could experience problems. If there was a connection problem while the server
was sending Simple Paged Result (SPR) search results to the client, the LD AP server called
a cleanup routine incorrectly. This led to a memory leak and the server terminated
unexpectedly. With this update, the underlying code has been modified to ensure that
cleanup tasks are run correctly and memory leaks no longer occur. The LD AP server no
longer crashes in this scenario.
B Z #7586 83
Previously, certain operations with the Change Sequence Number (CSN) were not very
effective in 389 D irectory Server. Therefore, performing a large number of the modrdn
operations during D irectory Server content replications led to poor performance, and the
ns-slapd daemon consumed up to 100% CPU under these circumstances. With this update,
the underlying code has been modified to use these CSN operations efficiently so that
replications in D irectory Server now work as expected in this scenario.
B Z #7586 88
Previously, allocated memory was not correctly released in the underlying code for the
SASL GSSAPI authentication method, when checking the Simple Authentication and
Security Layer (SASL) identity mappings. This problem could cause memory leaks when
processing SASL bind requests, which eventually caused the LD AP server to terminate
unexpectedly with a segmentation fault. This update adds function calls that are needed to
free allocated memory correctly. Memory leaks no longer occur and the LD AP server no
longer crashes in this scenario.
B Z #7716 31
Previously, 389 D irectory Server used the Netscape Portable Runtime (NSPR)
44
implementation of the read/write locking mechanism. This implementation allowed
deadlocks to occur if 389 D irectory Server was under a heavy load, which caused the
server to become unresponsive. With this update, 389 D irectory Server now uses the POSIX
implementation of the locking mechanism, and deadlocks no longer occur under a heavy
load.
B Z #7716 32
Under a heavy load in replicated environments, 389 D irectory Server did not handle the
Entry USN index correctly. Consequently, the index could become out of sync with the main
database and search operations on USN entries returned incorrect results. This update
modifies the Entry USN plug-in and 389 D irectory Server now handles the Entry USN index
as expected.
All users of 389-ds-base are advised to upgrade to these updated packages, which fix these bugs.
4 .2. abrt and libreport
4 .2.1. RHBA-2011:1598 — abrt and libreport bug fix and enhancement updat e
Updated abrt and libreport packages that fix several bugs and add various enhancements are now
The abrt packages contain the Automatic Bug Reporting Tool (ABRT) version 2. In comparison with
ABRT version 1, this version provides more flexible configuration, which covers a variety of customer
use cases that the previous version was unable to cover. It also moves a lot of data processing from
the daemon to separate tools that run without root privileges, which makes the daemon less error
prone and the whole processing more secure.
Note: This update obsoletes the former report tool and replaces the report library to unify the
reporting process in all Red Hat applications (Anaconda, setroubleshoot, ABRT). The most
interesting feature for end-users is the problem solution searching: when ABRT is configured to
report to the Red Hat Customer Portal, it tries to search Red Hat problem databases (such as
Knowledge Base or Bugzilla) for possible solutions and refers the user to these resources if the
solution is found.
Bug Fixe s
B Z #6 106 03
The abrt-gui application used to list plug-ins multiple times if they were configured in the
configuration file. This is now fixed.
B Z #6 276 21
In the previous version of ABRT, a daemon restart was required for any changes in the
configuration to take effect. In the new version, most of the options in the configuration file
no longer require a restart.
B Z #6 53872
Support for retrace server has been added. Refer to
https://fedorahosted.org/abrt/wiki/AbrtRetraceServer for more information about this new
feature.
B Z #6 71354
45
By default, ABRT stores all problem information in the /var/spool/abrt/ directory. Previously,
this path was hard coded and could not be changed in the configuration. With this update,
this path can be changed in the /etc/abrt/abrt.conf configuration file.
B Z #6 71359
The previous documentation failed to cover some customer use cases. This error has been
fixed, and all of these use cases are now covered in the Red Hat Enterprise Linux 6
D eployment Guide.
B Z #6 73173
In ABRT version 1, it was not possible to use wildcards to specify that some action should
happen for any user. ABRT version 2 adds support for this functionality.
B Z #6 9 54 16
The lacking information about configuring a proxy has been added to the Red Hat
Enterprise Linux 6 D eployment Guide.
B Z #7079 50
Previously, a bug in ABRT version 1 was preventing a local Python build to finish. This is
now fixed.
B Z #7256 6 0
The previous report tool and report library have been obsoleted by abrt and libreport. Users
can notice the change in the problem reporting user interface of Anaconda, setroubleshoot,
and ABRT.
All users of ABRT are advised to upgrade to these updated packages, which provide numerous bug
fixes and enhancements.
4 .3. acl
4 .3.1. RHBA-2011:0924 — acl bug fix updat e
Updated acl packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
Access Control Lists (ACLs) are used to define finer-grained discretionary access rights for files and
directories. The acl packages contain the getfacl and setfacl utilities needed for manipulating access
control lists.
Bug Fixe s
B Z #6 74 883
Prior to this update, the setfacl.1 man page was not intelligible in that it did not state that
removing a non-existent ACL entry is not considered to be an error. With this update, the
setfacl.1 man page has been updated so that its content is now intelligible and exactly
specifies the aforementioned behavior with regard to removing a non-existent ACL entry.
B Z #7026 38
Prior to this update, the package specification did not reflect a change of the upstream
project web page address. This update corrects the respective address in the package
specification.
46
All users of Access Control Lists should upgrade to these updated packages, which fix these bugs.
4 .3.2. RHEA-2011:1657 — acl enhancement updat e
Updated acl packages that add two enhancements are now available for Red Hat Enterprise Linux 6.
Access Control Lists (ACLs) are used to define finer-grained discretionary access rights for files and
directories. The acl packages contain the getfacl and setfacl utilities needed for manipulating access
control lists.
Enhance m e nt s
B Z #720318
Prior to this update, the ACL library did not provide any function to check for extended ACLs
of a file without following symbolic links. The only available function, acl_extended_file(),
used to cause unnecessary mounts of autofs. This update introduces a new function,
acl_extended_file_nofollow(), that checks for extended ACLs of a file without following
symbolic links.
B Z #7239 9 8
Previously, the ACL library was linked without support for RELRO (read-only relocations)
flags. With this update, the library is now linked with partial RELRO support.
Users of acl are advised to upgrade to these updated packages, which add these enhancements.
4 .4 . aide
4 .4 .1. RHBA-2012:0512 — aide bug fix updat e
Updated aide packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Advanced Intrusion D etection Environment (AID E) is a program that creates a database of files on a
system, and then uses that database to ensure file integrity and detect system intrusions.
Bug Fix
B Z #8119 36
Previously, the aide utility incorrectly initialized the gcrypt library. This consequently
prevented aide to initialize its database if the system was running in FIPS-compliant mode.
The initialization routine has been corrected, and along with an extension to the libgcrypt's
API introduced in the RHEA-2012:0486 advisory, aide now initializes its database as
expected if run in a FIPS-compliant way.
All users of aide are advised to upgrade to these updated packages, which fix this bug.
4 .5. alsa-lib
4 .5.1. RHBA-2011:1719 — alsa-lib bug fix updat e
Updated alsa-lib packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The alsa-lib packages contain libraries for the Advanced Linux Sound Architecture (ALSA).
47
Bug Fix
B Z #704 772
Prior to this update, the alsa output plugin for the Audacious Audio Player did not work
correctly. As a result, Audacious could under certain circumstances fail to generate any
sound and display error messages. With this update, alsa-lib is modified so that Audacious
can now generate sound as expected.
All alsa-lib users are advised to upgrade to these updated packages, which fix this bug.
4 .6. anaconda
4 .6.1. RHBA-2011:1565 — anaconda bug fix and enhancement updat e
An updated anaconda package that fixes several bugs and adds various enhancements is now
The anaconda package contains portions of the Anaconda installation program that can be run by
the user for reconfiguration and advanced installation options.
Bug Fixe s
B Z #6 4 186 1
Issues with " interactive" mode partitioning are fixed.
B Z #731274
The network command is parsed correctly.
B Z #6 89 9 9 6
The /boot partition on EFI systems is handled correctly.
B Z #705274
Files that are necessary for libreport and SSL installation mode have been added.
B Z #6 76 4 04
Symbolic links to LVM commands have been added to the rescue image.
B Z #7306 50
The /sbin/cio_ignore command is added to initrd.img for IBM System z.
B Z #6 89 029
Support for dracut-style " rdloaddriver=" and " rdblacklist=" parameters is added.
B Z #6 79 108
Support for static addresses in " ipv6=" is added.
B Z #706 09 9
A testing framework for stub commands is added.
48
B Z #6 9 9 74 5
D river disks support multiple kernel versions and are also built for Red Hat Enterprise Linux
6.0 and 6.1.
B Z #6 6 8570
Network connection is brought up before saving a bug report.
B Z #715130
Errors in .treeinfo are detected.
B Z #6 9 8282
The xhost authentication is changed when performing live installation.
B Z #6 6 4 9 81, B Z #726 804
D ebugging improvements in loader and package installation code have been made.
B Z #6 79 810
The dialog box focus and initialization have been corrected.
B Z #701220
The iSCSI Login button is disabled when no nodes are selected.
B Z #6 9 536 2
When a mount point is set to /boot, the file system type is no longer changed.
B Z #728280, B Z #725777, B Z #72319 4 , B Z #72334 4 , B Z #6 9 4 800, B Z #6 21175
ED D handling improvements have been made, including Xen and CCISS.
B Z #6 9 84 29
Extended partitions are handled correctly.
B Z #6 81803
Handling of " network --device=bootif" is corrected.
B Z #75076 4
Centering of the Anaconda window when an external display is present is corrected.
B Z #6 059 38
Encrypted device lines written to kickstart files are corrected.
B Z #6 18535
zFCP multipath devices can be added in the user interface as expected.
B Z #732380
iSCSI discovery that returns no devices is handled correctly.
B Z #704 59 3
49
Systems with more than 2147483647 kB of memory are handled properly.
B Z #7124 87
The header image is hidden on all but 800x600 displays.
B Z #6 9 0058
The " noprobe" parameter for driver disks is honored.
B Z #7139 9 1
The " linksleep=" boot parameter is honored.
B Z #6 9 9 6 4 0
Installation sources (including NFS ISO storages) are mounted correctly.
B Z #6 79 39 7
Processes in the anaconda process group are killed when the system is shut down.
B Z #6 9 3271
Partitioning alignment is corrected.
B Z #6 16 6 4 1
Progress indicator improvements for device discovery and command line mode have been
made.
B Z #6 9 1817, B Z #6 9 074 8
Kickstart network failures and device name collisions are handled properly.
B Z #6 9 19 10
The " crashkernel=" parameter in a kickstart file is handled properly.
B Z #71219 5
Support for the " ext4migrate" parameter has been removed.
B Z #706 6 75
The language and keyboard selection screens are now skipped in stage2 when possible.
B Z #6 14 504
D evice capacity values are sorted as numbers, not characters.
B Z #6 9 574 0
Swap partitions are handled correctly.
B Z #6 76 118
The " --target" option is used in kickstart files for iSCSI devices.
B Z #701371, B Z #6 9 6 876 , B Z #6 74 24 1, B Z #734 374 , B Z #729 716
Various multipath and raid storage bugs are fixed.
50
B Z #6 79 073
Anaconda verifies that devices specified with " part" can be partitioned.
Enhance m e nt s
B Z #6 59 79 0
Vendor-provided tools on driver disks are now allowed.
B Z #6 9 4 19 8
The initrd.img file is compressed with LZ MA.
B Z #6 9 6 6 9 6
The " noverifyssl" boot parameter is added.
B Z #6 9 74 19
The tboot package is configured when it is installed.
B Z #709 6 53
Multipath device can now be specified using WWID .
Users of anaconda should upgrade to this updated package, which fixes these bugs and adds these
enhancements.
4 .7. apr
4 .7.1. RHBA-2012:074 0 — apr bug fix updat e
An updated apr package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The Apache Portable Runtime (APR) is a portability library used by the Apache HTTP Server and
other projects. It provides a free library of C data structures and routines.
Bug Fix
B Z #83026 5
Previously, a bug in the handling of IPv6 sockets was present in the apr_mcast_hops()
function. This bug could have prevented applications from successfully using multicast
with IPv6 sockets. With this update, this bug has been fixed so that the applications now
operate correctly.
All APR users are advised to install this newly released package, which fixes this bug.
4 .8. at
4 .8.1. RHBA-2012:0068 — at bug fix updat e
An updated at package that fixes one bug is now available for Red Hat Enterprise Linux 6.
51
The " at" package provides the at and " batch" commands, which are used to read commands from
standard input or from a specified file. The " at" command allows you to specify that a command will
be run at a particular time. The " batch" command will execute commands when the system load
levels drop to a particular level. Both commands use the /bin/sh.
Bug Fix
B Z #78319 0
D ue to an error in the time-parsing routine, the " at" command incorrectly calculated the
year when a job was scheduled by using days on input. For example: " at now + 10 days" .
This update fixes erroneous grammar so that " at" now schedules jobs correctly.
All users of at are advised to upgrade to this updated package, which fixes this bug.
4 .9. at las
4 .9.1. RHEA-2011:1582 — at las enhancement updat e
Updated atlas packages that add various enhancements are now available for Red Hat Enterprise
Linux 6.
The ATLAS (Automatically Tuned Linear Algebra Software) project is a research effort focusing on
applying empirical techniques providing portable performance. The atlas packages provide C and
Fortran77 interfaces to a portably efficient BLAS (Basic Linear Algebra Subprograms) implementation
and routines from LAPACK (Linear Algebra PACKage).
The atlas packages have been upgraded to upstream version 3.8.4, which adds a number of
enhancements over the previous version. The atlas package now contains subpackages optimized
for Linux on IBM System z architectures. (BZ #694459)
All users of atlas are advised to upgrade to these updated packages, which add these
enhancements.
4 .10. at t r
4 .10.1. RHBA-2011:1272 — at t r bug fix updat e
Updated attr packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The attr packages provide extended attributes, which can be used to store system objects like
capabilities of executables and access control lists, as well as user objects.
Bug Fixe s
B Z #6 51119
Prior to this update, the setfattr utility could not restore the original values of the attributes
when the " getfattr -e text" or " getfattr --encoding=text" command was used to dump
attributes with embedded null characters. This update fixes the encoding of these values in
getfattr to prevent information loss.
B Z #6 6 504 9
Prior to this update, the getfattr utility followed symbolic links to directories even if the " -h"
52
or " --no-dereference" option was specified. Additionally, the description in the getfattr(1)
man page that related to this functionality was misleading. This update fixes getfattr with the
" -h" option so that it no longer follows the symbolic links and the related content of the
getfattr(1) man page is now correct.
B Z #6 6 5050
Prior to this update, the getfattr utility did not return a non-zero exit code when an attribute
specified in the " getfattr" command did not exist. This update fixes getfattr so that it now
returns a non-zero exit code when an attribute does not exist.
B Z #6 74 870
Prior to this update, supported methods for encoding values of the extended attributes were
not properly described in the setfattr(1) man page. This update adds the appropriate
descriptions of the encoding methods to the setfattr(1) man page.
B Z #7026 39
Prior to this update, the project web page address as stated in the package specification
did not reflect the change of the upstream project web page address. This update corrects
the project web page address in the package specification.
B Z #727307
Prior to this update, the attr library was built without support for read-only relocations
(RELRO) flags. With this update, the library is now built with partial RELRO support.
All users of attr are advised to upgrade to these updated packages, which fix these bugs.
4 .11. audit
4 .11.1. RHBA-2011:1739 — audit bug fix and enhancement updat e
Updated audit packages that fix various bugs and add several enhancements are now available for
The audit packages contain the user space utilities for storing and searching the audit records which
have been generated by the audit subsystem in the Linux 2.6 kernel.
The audit package has been upgraded to upstream version 2.1.3, which provides a number of bug
fixes and enhancements over the previous version. (BZ #731723)
Bug Fixe s
B Z #715279
Previously, the audit daemon was logging messages even when configured to ignore " disk
full" and " disk error" actions. With this update, audit now does nothing if it is set to ignore
these actions, and no messages are logged in the described scenario.
B Z #715315
Previously, the Audit remote logging client received a " disk error" event instead of " disk full"
event from a server when the server's disk space ran out. This bug has been fixed and the
logging client now returns the correct event in the described scenario.
B Z #74 8124
53
Prior to this update, the audit system was identifying the accept4() system call as the now
deprecated paccept() system call. Now, the code has been fixed and audit uses the correct
identifier for the accept4() system call.
B Z #709 34 5
Previously, the " auditctl -l" command returned 0 even if it failed because of dropped
capabilities. This bug has been fixed and a non-zero value is now returned if the operation
is not permitted.
B Z #7284 75
When Kerberos support was disabled, some configuration options in the audispremote.conf file related to Kerberos 5 generated warning messages about GSSAPI support
during boot. With this update, the options are now commented out in the described
scenario and the messages are no longer returned.
B Z #700005
On i386 and IBM System z architectures, the " autrace -r /bin/ls" command returned error
messages even though all relevant rules were added correctly. This bug has been fixed and
no error messages about sending add rule data requests are now returned in the described
scenario.
All audit users are advised to upgrade to these updated packages, which fix these bugs and add
these enhancements.
4 .12. augeas
4 .12.1. RHEA-2011:1659 — augeas bug fix and enhancement updat e
Updated augeas packages that fix multiple bugs and add various enhancements are now available
for Red Hat Enterprise Linux 6.
Augeas is a configuration editing tool. Augeas parses configuration files in their native formats and
transforms them into a tree. Configuration changes are made by manipulating this tree and saving it
back into native config files.
The augeas packages have been upgraded to upstream version 0.9.0, which provides a number of
bug fixes and enhancements over the previous version. (BZ #691483)
Bug Fix
B Z #6 9 3539
Previously, due to a bug in the source code, parsing invalid files failed silently without any
error message. With this update, error messages are provided to inform users about the
problem.
All users of Augeas are advised to upgrade to these updated packages, which fix these bugs and
add these enhancements.
4 .13. aut ofs
4 .13.1. RHBA-2011:1723 — aut ofs bug fix and enhancement updat e
54
An updated autofs package that fixes several bugs and adds various enhancements is now
The autofs utility controls the operation of the automount daemon. The automount daemon
automatically mounts file systems when you use them, and unmounts them when they are not busy.
B u g Fixes
B Z #704 9 35
The autofs utility did not reset the map entry status on a reload request. As a result, newly
added map entries that had previously recorded a mount failure failed to work. With this
update, autofs resets the map entry status on a reload request and map entries are
mounted as expected.
B Z #704 9 39
The autofs utility could have terminated with a segmentation fault when attempting certain
mounts. This occurred due to a race condition between mount handling threads for mounts
that had previously recorded a mount failure. The automount cache map entry is now
verified to be valid.
B Z #704 9 4 0
The automount(8) man page referred to a non-existent man page. This was caused by a
typographical error in the code. With this update, the man page reference has been
corrected and the man page is displayed as expected.
B Z #704 9 29
D ue to a deadlock, autofs could stop responding when attempting to mount map entries
that were nested within maps. With this update, the underlying code has been changed
and, where possible, nested map entries mount correctly.
B Z #704 9 33
Prior to this update, automount could terminate unexpectedly with a pthreads error. This
occurred because attempts to acquire the master map lock occasionally failed as the lock
was held by another thread. With this update, the underlying code has been adapted to
wait for a short time before failing.
B Z #704 9 28, B Z #704 9 27
When retrieving paged results from an LD AP (Lightweight D irectory Access Protocol) server,
autofs handled certain cases incorrectly, which caused the query to not obtain all results.
This update adds the code that handles these additional cases.
B Z #704 9 37
Prior to this update, if a key entry of an automount map began with an asterisk (*) sign, the
daemon failed with a segmentation fault because the sign was not matched correctly. With
this update, such asterisk signs are handled correctly.
B Z #704 228
When using GSSAPI authentication, the fact that an incorrect authentication host name
was being used caused the connection to fail. This update now gets the correct host name
for the connection.
B Z #6 9 2816
55
automount was not performing sufficient sanity checks of server names in its configuration.
This update corrects the configuration entry parsing.
B Z #700136
Error reporting for invalid mount locations was unclear. This update improves the error
reporting.
B Z #703332
When an automount map key is present in a file map and is also present in an included
map source, if the file map entry was removed and a lookup performed before a re-load was
issued, the map lookup would have failed. This update corrects the logic used to determine
if the lookup needs to continue into included maps.
B Z #7189 27
When reloading maps that include a combination of direct and indirect maps, it was
possible for automount to deadlock due to incorrect lock ordering.
BZ#
There was inadvertent use of a small amount of GPLv3-licensed code from Samba in
autofs. While this was permissible, it would have entailed explicitly relicensing autofs from
" GPLv2 or later" to " GPLv3" , which is not intended for autofs at this time. Therefore, the
Samba-derived code has been replaced in order to maintain the " GPLv2 or later" licensing
status of autofs.
En h an cemen t s
B Z #704 4 16
This update adds the " --dumpmaps" option to the automount command, which allows you
to dump the maps from their source as seen by the automount daemon.
B Z #704 9 32
This update adds simple Base64 encoding for LD AP and thus allows hashing of the
password entries in the /etc/autofs_ldap_auth.conf configuration file.
All autofs users are advised to upgrade to this updated package, which provides numerous bug fixes
and enhancements.
4 .13.2. RHBA-2012:0320 — aut ofs bug fix updat e
An updated autofs package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The autofs utility controls the operation of the automount daemon. The automount daemon
automatically mounts file systems when you use them, and unmounts them when they are not busy.
Bug Fix
B Z #787122
A function to check validity of a mount location was meant to check only for a small subset
of map location errors. A recent improvement modification in error reporting inverted a logic
test in this validating function. Consequently, the scope of the test was widened, which
caused automount to report false positive failures. With this update, the faulty logic test has
been corrected and false positive failures no longer occur.
56
All users of autofs are advised to upgrade to this updated package, which fixes this bug.
4 .14 . aut ot race
4 .14 .1. RHBA-2011:1168 — aut ot race bug fix updat e
Updated autotrace packages that fix one bug are now available for Red Hat Enterprise Linux 6.
AutoTrace is a program for converting bitmaps to vector graphics. Supported input formats include
BMP, TGA, PNM, PPM, and any format supported by ImageMagick, whereas output can be produced
in PostScript, SVG, xfig, SWF, and others.
B u g Fix
B Z #6 58057
When installing autotrace-devel multilib RPM packages from the optional repository, file
conflicts between these packages appeared, causing the installation transaction to abort.
This problem has been fixed and the installation transaction now proceeds without
conflicts.
All users of autotrace are advised to upgrade to these updated packages, which resolve this issue.
4 .15. bacula
4 .15.1. RHBA-2011:1232 — bacula bug fix updat e
Updated bacula packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
Bacula is a set of programs that allow you to manage the backup, recovery, and verification of
computer data across a network of different computers.
Bug Fixe s
B Z #6 51776
Prior to this update, the bacula packages were not distributed with the applybaculadate file.
As a result, the logwatch cron script failed. The problem has been fixed by including the
applybaculadate file in the bacula packages so that the logwatch cron script now works as
expected.
B Z #6 51780
Prior to this update, the make_catalog_backup.pl script created a MySQL configuration file,
which had the file permissions set to world-writeable and world-readable so that MySQL did
not accept the configuration file with these permissions and the MySQL database login
configuration was not used. As a result, it was not possible to complete a MySQL database
dump. With this update, the configuration file is now created with correct permissions, and
the MySQL database login configuration is used by MySQL so that it is now possible to
complete the MySQL database dump as expected.
B Z #6 51786
Prior to this update, there was no option to change Bacula's runtime user. As a
consequence, Bacula was always run under the root user. The problem has been fixed by
57
adding support for the bacula-dir, bacula-fd, and bacula-sd files in the /etc/sysconfig/
directory; these files can be used for specifying a non-root user and group with the
D IR_USER, FD _USER, SD _USER, and D IR_GROUP, FD _GROUP and SD _GROUP
options, respectively. With this update, Bacula can be run under the specified user.
B Z #6 51787
Prior to this update, when creating a symbolic link to the " bscan" utility, the new link was
erroneously named " dbcheck" . As a result, the already existing " dbcheck" symbolic link
was overwritten by the erroneous one. Thus the " dbcheck" command ran the " bscan" utility
so that it was not possible to execute the " bscan" utility with the " bscan" command. The
problem has been fixed in this update so that the " dbcheck" and " bscan" utilities now work
as expected.
B Z #6 5729 7
Prior to this update, Bacula's default configuration missed a required option. As a result,
the Bacula tray monitor component terminated unexpectedly. The problem has been fixed
by adding the " Address" option to the " D irector" section in the Bacula tray monitor
configuration file so that the Bacula tray monitor now works as expected with the default
configuration file. Note that this bug fix does not alter any existing Bacula tray monitor
configuration file. As a consequence, the Bacula tray monitor can terminate unexpectedly if
the existing Bacula tray monitor configuration is incorrect.
B Z #6 89 4 00
Prior to this update, the backup size was computed incorrectly under certain
circumstances. As a consequence, the reported size of the incremental backup could have
been wrong. The problem has been fixed by correcting the backup size computation
process so that the size of the incremental backup is now reported correctly.
B Z #71279 4
Prior to this update, the shadow-utils package was not listed among the package
dependencies for Bacula. As a result, the bacula user and bacula group were not created
when the shadow-utils package was not present on the system, and a warning message
was displayed during the bacula packages installation. This bug has been fixed by adding
shadow-utils to the package dependencies.
B Z #712804
Prior to this update, the chkconfig package, which contains the " alternatives" utility, was
not listed among the package dependencies for Bacula. As a result, the bacula-dir and
bacula-sd services were not configured, the " alternatives" utility was not found, and
Bacula's symbolic links were not created. These problems have been fixed by adding
chkconfig to the package dependencies.
All users of Bacula are advised to upgrade to these updated packages, which fix these bugs.
4 .16. bash
4 .16.1. RHBA-2012:0561 — bash bug fix updat e
Updated bash packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The GNU Bourne Again shell (Bash) is a shell and command language interpreter compatible with
the Bourne shell (sh). Bash is the default shell for Red Hat Enterprise Linux.
58
Bug Fix
B Z #814 271
When a SIGCHLD signal was received in job control mode and a handler for the signal was
installed, Bash called the trap handler within the signal handler itself. This was unsafe and
could cause Bash to enter a deadlock or to terminate unexpectedly with a segmentation
fault due to memory corruption. With this update, the trap handler is now called outside of
the signal handler, and Bash no longer enters a deadlock, neither crashes in this scenario.
All users of bash are advised to upgrade to these updated packages, which fix this bug.
4 .17. bfa-firmware
4 .17.1. RHBA-2011:1759 — bfa-firmware bug fix and enhancement updat e
An updated bfa-firmware package that fixes several bugs and adds various enhancements is now
The bfa-firmware package contains the Brocade Fibre Channel Host Bus Adapter (HBA) Firmware to
run Brocade Fibre Channel and CNA adapters. This package also supports the Brocade BNA
network adapter.
The bfa-firmware package has been upgraded to upstream version 3.0.0.0, which provides a number
of bug fixes and enhancements over the previous version. (BZ #735142)
All users of Brocade Fibre Channel and CNA adapters are advised to upgrade to this updated
package, which fixes several bugs and adds various enhancements.
4 .18. bind
4 .18.1. RHSA-2012:0716 — Import ant : bind securit y updat e
Updated bind packages that fix two security issues are now available for Red Hat Enterprise Linux 5
and 6.
The Red Hat Security Response Team has rated this update as having important security impact.
Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is
available for each vulnerability from the CVE link(s) associated with each description below.
The Berkeley Internet Name D omain (BIND ) is an implementation of the D omain Name System (D NS)
protocols. BIND includes a D NS server (named); a resolver library (routines for applications to use
when interfacing with D NS); and tools for verifying that the D NS server is operating correctly.
Secu rit y Fixes
C VE- 2012- 16 6 7
A flaw was found in the way BIND handled zero length resource data records. A malicious
owner of a D NS domain could use this flaw to create specially-crafted D NS resource
records that would cause a recursive resolver or secondary server to crash or, possibly,
disclose portions of its memory.
C VE- 2012- 1033
A flaw was found in the way BIND handled the updating of cached name server (NS)
59
resource records. A malicious owner of a D NS domain could use this flaw to keep the
domain resolvable by the BIND server even after the delegation was removed from the
parent D NS zone. With this update, BIND limits the time-to-live of the replacement record to
that of the time-to-live of the record being replaced.
Users of bind are advised to upgrade to these updated packages, which correct these issues. After
installing the update, the BIND daemon (named) will be restarted automatically.
4 .18.2. RHBA-2011:1697 — bind bug fix updat e
Updated bind packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
BIND (Berkeley Internet Name D omain) is an implementation of the D NS (D omain Name System)
protocols. BIND includes a D NS server (named), which resolves host names to IP addresses; a
resolver library (routines for applications to use when interfacing with D NS); and tools for verifying
that the D NS server is operating properly.
Bug Fixe s
B Z #6 9 9 9 51
Prior to this update, the code in libdns which sends D NS requests was not robust enough
and suffered from a race condition. If a race condition occurred, the " named" name service
daemon logged an error message in the format " zone xxx.xxx.xxx.in-addr.arpa/IN: refresh:
failure trying master xxx.xxx.xxx.xxx#53 (source xxx.xxx.xxx.xxx#0): operation canceled"
even when zone refresh was successful. This update improves the code to prevent a race
condition in libdns and the error no longer occurs in the scenario described.
B Z #70009 7
A command or script traditionally gives a non-zero exit status to indicate an error. Prior to
this update, the nsupdate utility incorrectly returned the exit status " 0" (zero) when the
target D NS zone did not exist. Consequently, the nsupdate command returned " success"
even though the update failed. This update corrects this error and nsupdate now returns
the exit status " 2" in the scenario described.
B Z #725577
Prior to this update, named did not unload the bind-dyndb-ldap plugin in the correct
places in the code. Consequently, named sometimes terminated unexpectedly during reload
or stop when the bind-dyndb-ldap plugin was used. This update corrects the code, the
plug-in is now unloaded in the correct places, and named no longer crashes in the
scenario described.
B Z #6 9 39 82
A non-writable working directory is a long time feature on all Red Hat systems. Previously,
named wrote " the working directory is not writable" as an error to the system log. This
update changes the code so that named now writes this information only into the debug
log.
B Z #7174 6 8
The named initscript lacked the " configtest" option that was available in earlier releases.
Consequently, users of the bind initscript could not use the " service named configtest"
command. This update adds the option and users can now test their D NS configurations
for correct syntax using the " service named configtest" command.
60
All users of bind are advised to upgrade to these updated packages, which fix these bugs.
4 .18.3. RHBA-2011:1836 — bind bug fix updat e
Updated bind packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
resolver library (routines for applications to use when interfacing with the D NS server); and tools for
verifying that the D NS server is operating properly.
Bug Fixe s
B Z #7586 6 9
Prior to this update, errors arising on automatic updates of D NSSEC trust anchors were
handled incorrectly. Consequently, the named daemon could become unresponsive on
shutdown. With this update, the error handling has been improved and named exits on
shutdown gracefully.
B Z #7586 70
Prior to this update, a race condition could occur on validation of D NSSEC-signed
NXD OMAIN responses and the named daemon could terminate unexpectedly. With this
update, the underlying code has been fixed and the race condition no longer occurs.
All users of bind are advised to upgrade to these updated packages, which fix these bugs.
4 .18.4 . RHBA-2012:0009 — bind bug fix updat e
Updated bind packages that fix one bug are now available for Red Hat Enterprise Linux 6.
resolver library (routines for applications to use when interfacing with the D NS server); and tools for
verifying that the D NS server is operating properly.
Bug Fix
B Z #76 9 36 6
The multi-threaded named daemon uses the atomic operations feature to speed-up an
access to shared data. This feature did not work correctly on the 32-bit and 64-bit PowerPC
architectures. Therefore, the named daemon sometimes became unresponsive on these
architectures. This update disables the atomic operations feature on the 32-bit and 64-bit
PowerPC architectures, which ensures that the named daemon is now more stable, reliable
and no longer hangs.
All users of bind are advised to upgrade to these updated packages, which fix this bug.
4 .19. bind-dyndb-ldap
4 .19.1. RHSA-2012:0683 — Import ant : bind-dyndb-ldap securit y updat e
61
An updated bind-dyndb-ldap package that fixes one security issue is now available for Red Hat
Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having important security impact. A
available from the CVE link(s) associated with each description below.
The dynamic LD AP back end is a plug-in for BIND that provides back-end capabilities to LD AP
databases. It features support for dynamic updates and internal caching that help to reduce the load
on LD AP servers.
Secu rit y Fix
C VE- 2012- 2134
A flaw was found in the way bind-dyndb-ldap handled LD AP query errors. If a remote
attacker were able to send D NS queries to a named server that is configured to use binddyndb-ldap, they could trigger such an error with a D NS query leveraging bind-dyndbldap's insufficient escaping of the LD AP base D N (distinguished name). This would result
in an invalid LD AP query that named would retry in a loop, preventing it from responding to
other D NS queries. With this update, bind-dyndb-ldap only attempts to retry one time when
an LD AP search returns an unexpected error.
Red Hat would like to thank Ronald van Z antvoort for reporting this issue.
All bind-dyndb-ldap users should upgrade to this updated package, which contains a backported
patch to correct this issue. For the update to take effect, the named service must be restarted.
4 .19.2. RHBA-2011:1715 — bind-dyndb-ldap bug fix updat e
An updated bind-dyndb-ldap package that fixes several bugs is now available for Red Hat Enterprise
Linux 6.
The dynamic LD AP (Lightweight D irectory Access Protocol) back end is a plug-in for BIND that
provides an LD AP database back-end capabilities. It features support for dynamic updates and
internal caching to lift the load off of the LD AP server.
Bug Fixe s
B Z #74 236 8
Previously, the bind-dyndb-ldap plug-in could faile to honor the selected authentication
method because it did not call the ldap_bind() function on reconnection. Consequently, the
plug-in connected to the LD AP server anonymously. With this update, the ldap_bind()
function is executed on reconnection and the plug-in uses the correct authentication
method in the described scenario.
B Z #707255
The bind-dyndb-ldap plug-in failed to load new zones from the LD AP server runtime. This
update adds the zone_refresh parameter to the plug-in which controls how often the zone
check is performed.
B Z #74 504 5
62
The bind-dyndb-ldap plug-in could fail to connect to the LD AP server. This happened when
the LD AP server was using localhost and FreeIPA installation was using a name different
from the machine hostname. This update adds to the plug-in the ldap_hostname option,
which can be used to set the correct LD AP server hostname.
B Z #727856
The " named" process could have remained unresponsive due to a race condition in the
bind-dyndb-ldap plug-in. With this update, the race condition has been resolved and the
problem no longer occurs.
All users of bind-dyndb-ldap are advised to upgrade to this updated package, which fixes these
bugs.
4 .20. binut ils
4 .20.1. RHBA-2011:1523 — binut ils bug fix and enhancement updat e
An updated binutils package that fixes several bugs and adds various enhancements is now
binutils is a collection of binary utilities, including ar (for creating, modifying and extracting from
archives), as (a family of GNU assemblers), gprof (for displaying call graph profile data), ld (the GNU
linker), nm (for listing symbols from object files), objcopy (for copying and translating object files),
objdump (for displaying information from object files), ranlib (for generating an index for the contents
of an archive), readelf (for displaying detailed information about binary files), size (for listing the
section sizes of an object or archive file), strings (for listing printable strings from files), strip (for
discarding symbols), and addr2line (for converting addresses to file and line).
B u g Fixes
B Z #6 6 4 6 4 0
Prior to this update, the read elf utility added 0 x4 0 into a character in order to display a
non-printing character but did not do so when processing a multibyte character. As a
result, the read elf utility did not display a multibyte character in the ELF header correctly.
The code has been corrected and readelf no longer displays garbled characters when
processing multibyte, or non-ASCII, characters.
B Z #6 74 9 25
An unneeded patch to b in eu t ils caused a large link time degradation when using the
bi nuti l s --bui l d -i d command. This update removes that patch.
B Z #6 89 829
An Operating System (OS) Application Binary Interface (ABI) describes the low-level interface
between a program and the operating system (OS/ABI). The indirect meta-function,
i func(), whose value can be determined at load time, allows for architecture dependent
optimization. Prior to this update, the OS/ABI preprocessor macro was erroneously set to
UNIX - Li nux instead of UNIX - System V in an ELF header by a dynamic executable
which used i func(). This update applies a backported patch which corrects the code and
the error no longer occurs.
B Z #6 9 8005
Prior to this update, the binutils' stri p command, which is run as part of the RPM build
63
process, did not copy the EI_O SABI value in the ELF file header properly, it set the value to
zero. Consequently, if the EI_O SABI field of the debug file had a value of 3 (ABI tag for
GNU/Linux), in the stripped file it was erroneously set to 0 (UNIX - System V). This
update corrects the problem and stri p now leaves the field intact.
B Z #701586
On 64-bit PowerPC platforms, the position of -ldl in the list compiler options caused
unexpected behavior when compiling C++ code. If -ldl was not placed at the end of
parameter list, the GNU C Compiler (GCC) failed with an error in the format:
libtest.a(some_object_file.o): undefined reference to `.dlerror'
With this update, the code has been corrected and the GCC compiler functions as expected.
B Z #707387
When compiling C source code using the GNU C Compiler (GCC), a Table Of Contents
(TOC), is created for every executable file. Prior to this update, compiling C++ code using
GCC for 64-bit PowerPC, using -mcmo d el = smal l -mno -mi ni mal -to c as options,
GNU linker, (ld ), erroneously decided that if a section did not make use of the TOC it could
belong to any TOC group. Consequently, when a local function call was made from one
section of code to another section in the same object file, due to the two sections being
assigned to different TOC groups, a failure occurred and an error message in the following
format was logged.
libbackend.a(cse.o)(.text.unlikely+0x60): sibling call optimization to `.opd' does not allow automatic multiple TOCs;
recompile with -mminimal-toc or -fno-optimize-sibling-calls, or
make `.opd' extern
This update applies an upstream patch to improve the partitioning of sections of code,
which make local function calls, into multiple TOC groups. As a result the error no longer
occurs in the scenario described.
Note
It is necessary to relink executables and shared libraries containing objects which
were compiled with -mcmo d el = smal l -mno -mi ni mal -to c. Therefore code
should be recompiled by running these commands again after applying the update.
B Z #714 824
Prior to this update, after compiling a kernel from source code with debugging information,
some debug information was missing. Consequently, when using the GNU Project's
debugger (GD B) utility, if a user issued the command l setup_arch to determine the
target architecture, the following error was displayed.
No line number known for setup_arch
This update corrects the code and the GD B utility now correctly displays the architecture for
which the code was compiled.
B Z #721079
64
Compilers used for producing code optimized for 64-bit PowerPC platforms use the default
Red Hat Enterprise Linux system linker, ld , provided with the operating system to produce
executables and libraries. Some object code generated by the IBM XL compiler caused ld to
terminate unexpectedly with a segmentation fault. Consequently, users were not able to
produce optimized executables or libraries. With this update, a backported patch has been
applied to correct the problem and ld no longer crashes in the scenario described.
B Z #733122
When linking FORTRAN programs with the IBM XL compiler and the default Red Hat
Enterprise Linux 6.1 system linker, ld sometimes terminated unexpectedly with a
segmentation fault. This updates applies an upstream patch to correct the problem and ld
no longer crashes in the scenario described.
B Z #74 76 9 5
The assembler, as, when generating a memory reference to a local symbol plus or minus an
offset, did not include the constant offset when generating 32-bit x86 code. Consequently,
when the local symbol being referenced was defined before the instruction using the symbol
with an offset, an error would occur. This update corrects the code and the problem no
longer occurs.
En h an cemen t s
B Z #6 9 6 36 8
With this update, backported patches have been included to support new AMD processors.
B Z #6 9 6 4 9 4
Certain Intel processors support a new R d R and instruction to generate a true random
number in a short time. This update includes support for this new instruction.
Users of binutils are advised to upgrade to this updated package, which fixes these bugs and adds
these enhancements.
4 .21. biosdevname
4 .21.1. RHBA-2011:1608 — biosdevname bug fix and enhancement updat e
An updated biosdevname package that fixes several bugs and adds various enhancements are now
The biosdevname package contains an optional convention for naming network interfaces; it
assigns names to network interfaces based on their physical location. The package is disabled by
default, except for a limited set of D ell PowerEdge, C Series and Precision Workstation systems.
The biosdevname package has been upgraded to upstream version 0.3.11, which provides a number
Bug Fixe s
B Z #70024 8
When NPAR (NIC Partitioning) is enabled, the partition number should be appended as a
suffix to the interface name. Previously, biosdevname did not add partition numbers to
interface names, for example, instead of naming an interface " em3_1" , the interface was
65
named " em3" . Consequently, partitioned network interfaces were missing the suffix
necessary to describe the partition. Now, biosdevname correctly recognizes the VPD (Vital
Product D ata) suffix and full interface names are created correctly.
B Z #700251
When biosdevname ran in a guest environment, it suggested names to new network
interfaces as if it was in a host environment. Consequently, affected network interfaces were
incorrectly renamed. Now, biosdevname no longer suggests names in the described
scenario.
B Z #729 59 1
When biosdevname was reading VPD information to retrieve NPAR-related data, the read
operations failed or became unresponsive on certain RAID controllers. Additionally,
biosdevname sometimes attempted to read beyond the VPD boundary in the sysfs VPD file,
which also resulted in a hang. This bug has been fixed and biosdevname now performs the
read operation correctly in the described scenarios.
B Z #739 59 2
Previously, the " --smbios" and " --nopirq" command-line parameters were missing in the
biosdevname binary. Consequently, consistent network device naming could not be
enabled because biosdevname exited without suggesting a name. This update adds
support for these parameters and enables the device naming.
B Z #74 0532
Previously, NICs (Network Interface Cards) on biosdevname-compatible machines were
given traditional " eth*" names instead of " em*" or " p*p*" names. This bug has been fixed
and biosdevname now provides correct names for the NICs.
Enhance m e nt s
B Z #6 9 6 252
With this update, " --smbios" and " --nopirq" command-line parameters have been added to
biosdevname.
B Z #736 4 4 2
The biosdevname man page has been updated to explain the functionality of the " -smbios" and " --nopirq" command-line parameters.
Users of biosdevname are advised to upgrade to this updated package, which fixes these bugs and
adds these enhancements.
4 .22. blkt race
4 .22.1. RHBA-2011:1758 — blkt race bug fix and enhancement updat e
Updated blktrace packages that fix one bug and add one enhancement are now available for Red
Hat Enterprise Linux 6.
The blktrace packages contain a number of utilities to record the I/O trace information for the kernel
to user space, and utilities to analyze and view the trace information.
66
Bug Fix
B Z #705128
Prior to this update, the blkparse code contained a misprint. As a result, blkparse used the
wrong variable when printing the PC Writes Completed. This update modifies the code so
that blkparse now prints the correct value for PC Writes Completed.
Enhance m e nt
B Z #736 39 9
This update adds FLUSH/FUA support to blktrace.
All blktrace users are advised to upgrade to these updated packages, which fix this bug and add this
enhancement.
4 .23. blt k
4 .23.1. RHBA-2011:1227 — blt k bug fix updat e
An updated bltk package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The bltk (Battery Life Tool Kit) package includes binaries and scripts to test battery life.
Bug Fixe s
B Z #6 18308
Prior to this update, the bltk tree was corrupted. As a result, the bltk_report script failed. This
update modifies the settings of the bltk root path. Now, the report script works as expected.
B Z #6 79 028
Prior to this update, bltk could be installed without requiring the gnuplot binary. As a result,
the bltk_plot script exited with an error message when the gnuplot package was not
installed and the charts were shown from measured data. This update requires the gnuplot
package for its installation. Now, the bltk_plot script no longer exits with an error.
All bltk users are advised to upgrade to this updated package, which fixes these bugs.
4 .24 . cachefilesd
4 .24 .1. RHBA-2011:1679 — cachefilesd bug fix updat e
An updated cachefilesd package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The cachefilesd package manages a kernel module that attempts to improve the performance of
selected file systems by using local disk space to cache data read over the network.
Bug Fixe s
B Z #6 6 034 7
Prior to this update, cachefilesd used the wrong log level for cull info messages. As a result,
the /var/log/messages file could become overloaded. This update reduces the messages to
67
the /var/log/messages file could become overloaded. This update reduces the messages to
the debug level. Now, /var/log/messages no longer becomes overloaded.
B Z #72389 0
Prior to this update, cachefilesd depended on a specific version of the SELinux policy
package. As a result, only the nominated version was allowed. This update permits the
nominated version and any later versions. Now, the SELinux policy dependency works as
expected.
All users of cachefilesd are advised to upgrade to this updated package, which fixes these bugs.
4 .25. cert monger
4 .25.1. RHBA-2011:1708 — cert monger bug fix updat e
An updated certmonger package that fixes multiple bugs is now available for Red Hat Enterprise
Linux 6.
The certmonger service monitors certificates as the date at which they become invalid approaches,
optionally attempting to re-enroll with a supported certificate authority (CA) to keep the services which
use the certificates running without incident.
Bug Fixe s
B Z #6 9 276 6
Previously, the certmonger service could access a Network Security Services (NSS)
database without a password, despite being configured to use a password to access that
database. This behavior was not recognized as an error. This update correctly diagnoses
this inconsistency as an error.
B Z #6 9 4 184
Previously, if the certmonger service could not generate a key pair in an NSS database
because it did not have the password that was required for accessing the database, the
certmonger service did not recover when it was subsequently given the correct password.
This update handles this case correctly.
B Z #6 9 7058
Previously, the certmonger service did not correctly diagnose a missing token if the name of
the token to use was specified when the service was instructed to generate a key pair for
storage in an NSS database. This update corrects this error.
B Z #712500
Previously, the certmonger service encountered an assertion failure if the D -Bus message
bus service was not already running when certmonger was started. This update modifies
the certmonger service so that no more assertion problems occur in such a situation.
B Z #72139 2
Previously, when the getcert command needed to report an error message which it received
from the certmonger service, it exited unexpectedly due to a logic error. This update corrects
the logic so that the error message is correctly reported.
B Z #72786 3
68
Previously, the certmonger service was not fully compatible with newer versions of the
xmlrpc-c and libcurl packages. As a result, credentials could not be delegated when using
GSSAPI authentication with a CA that was accessed via XML-RPC. This update includes
the necessary changes to continue to be able to delegate credentials when using GSSAPI
authentication with a CA that is accessed using XML-RPC, such as IPA.
B Z #6 9 9 059 , B Z #739 9 03
Previously, when the getcert request command was given a location for key or certificate
storage using a relative path, and the location did not exist, the error was only reported
after multiple warnings during which the command attempted to convert the relative path to
an absolute path. This update suppresses these warnings.
B Z #74 126 2
Previously, an incorrect error message was displayed if the getcert resubmit command was
invoked with the -i flag to specify which request should be resubmitted to a CA but no
request that matched the provided value was present. This update displays the correct error
message.
B Z #74 234 8
D ue to a logic error, attempts to save a newly-obtained certificate to an NSS database
could fail intermittently. This update corrects the error.
Enhance m e nt s
B Z #6 9 8772
Previously, the getcert list command only printed information about every certificate and
enrollment request being managed by certmonger, and there was no way to narrow down
the results. This update includes an updated version of the command which can narrow the
result set if the invoking user provides information about the location of the certificate or key
in which the user is interested
B Z #7506 17
This update now includes an HTTP " Referer:" header value when submitting requests to
CAs which are accessed using XML-RPC, as is expected to be required by future releases of
the IPA CA
All users of the certmonger service are advised to upgrade to this updated package, which fixes these
bugs and adds these enhancements.
4 .26. chkconfig
4 .26.1. RHBA-2012:04 15 — chkconfig bug fix updat e
Updated chkconfig packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The basic system utility chkconfig updates and queries runlevel information for system services.
Bug Fixe s
B Z #79 784 7
69
When installing multiple Linux Standard Base (LSB) services which only had LSB headers,
the stop priority of the related LSB init scripts could have been miscalculated and set to " 1" . With this update, the LSB init script ordering mechanism has been fixed, and the stop
priority of the LSB init scripts is now set correctly.
B Z #79 784 6
When an LSB init script requiring the " $local_fs" facility was installed with the " install_initd"
command, the installation of the script could fail under certain circumstances. With this
update, the underlying code has been modified to ignore this requirement because the
" $local_fs" facility is always implicitly provided. LSB init scripts with requirements on
" $local_fs" are now installed correctly.
All users of chkconfig are advised to upgrade to these updated packages, which fix these bugs.
4 .27. cifs-ut ils
4 .27.1. RHBA-2011:1585 — cifs-ut ils bug fix updat e
An updated cifs-utils package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The cifs-utils package contains utilities for mounting and managing CIFS shares.
Bug Fixe s
B Z #6 76 4 39
Prior to this update, mount.cifs dropped the CAP_D AC_READ _SEARCH flag together with
most of the other capability flags before it performed a mount. As a result, mounting onto a
directory without execute permissions failed if mount.cifs was installed as a setuid program
and the user mount was configured in the /etc/fstab file. This update reinstates the
CAP_D AC_READ _SEARCH flag before calling mount. Now, mounting no longer fails.
B Z #719 36 3
Prior to this update, several mount options were missing from the mount.cifs(8) man page.
With this update, the man page documents all mount options.
All users of cifs-utils are advised to upgrade to this updated cifs-utils package, which fixes these
bugs.
4 .28. cjkuni-font s
4 .28.1. RHBA-2011:0922 — cjkuni-font s bug fix updat e
Updated cjkuni-fonts packages that fix one bug are now available for Red Hat Enterprise Linux 6.
CJK Unifonts are Unicode TrueType fonts derived from original fonts made available by Arphic
Technology under the Arphic Public License and extended by the CJK Unifonts project.
Bug Fix
B Z #6 826 50
Prior to this update, when viewing the U+4190 CJK character with the AR PL UMing font and
the font size 10, this character was not displayed properly. This bug has been corrected in
70
the font size 10, this character was not displayed properly. This bug has been corrected in
this update so that the character is now correctly displayed as expected.
All users of cjkuni-fonts are advised to upgrade to these updated packages, which fix this bug.
4 .29. clust er and gfs2-ut ils
4 .29.1. RHBA-2012:1190 — clust er and gfs2-ut ils bug fix updat e
Updated cluster and gfs2-utils packages that fix one bug are now available for Red Hat Enterprise
Linux 6 Extended Update Support.
The Red Hat Cluster Manager is a collection of technologies working together to provide data
integrity and the ability to maintain application availability in the event of a failure. Using redundant
hardware, shared disk storage, power management, and robust cluster communication and
application failover mechanisms, a cluster can meet the needs of the enterprise market.
B u g Fix
B Z #84 9 04 8
Previously, it was not possible to specify start-up options to the dlm_controld daemon. As a
consequence, certain features were not working as expected. With this update, it is possible
to use the /etc/sysconfig/cman configuration file to specify dlm_controld start-up options,
thus fixing this bug.
All users of cluster and gfs2-utils are advised to upgrade to these updated packages, which fix this
bug.
4 .29.2. RHBA-2011:1516 — clust er and gfs2-ut ils bug fix and enhancement
updat e
Updated cluster and gfs2-utils packages that fix multiple bugs and add various enhancements are
now available for Red Hat Enterprise Linux 6.
The cluster packages contain the core clustering libraries for Red Hat High Availability as well as
utilities to maintain GFS2 file systems for users of Red Hat Resilient Storage.
B u g Fixes
B Z #707115
The cluster and gfs2-utils packages have been upgraded to upstream version 3.0.12.1,
which provides a number of bug fixes over the previous version.
B Z #7139 77
Previously, when a custom multicast address was configured, the configuration parser
incorrectly set the default value of the time-to-live (TTL) variable for multicast packet to 0. As
a consequence, cluster nodes were not able to communicate with each other. With this
update, the default TTL value is set to 1, which fixes the problem.
B Z #726 777
71
A section describing the " suborg" option for the fence_cisco_usc agent was not present in
the RELAX NG schema which is used to validate the cluster.conf file. As a consequence,
validation of cluster.conf failed even if the file was valid. The suborg section has been
added to the RELAX NG schema and cluster.conf is now validated correctly.
B Z #70709 1
Building the resource group index for a new GFS2 file system using the mkfs.gfs2 utility
used all the space allocated. If the file system filled up completely, no room was left to write
a new rindex entry. As a consequence, the gfs2_grow utility was unable to expand the file
system. The mkfs.gfs2 utility has been modified so that enough space is now allocated for
the entire rindex file, and one extra rindex entry. The gfs2_grow source code has been
modified to utilize the unused rindex space. As a result, gfs2_grow is now able to expand a
completely full GFS2 file system.
B Z #6 78585
GFS2 POSIX (Portable Operating System Interface) lock operations (implemented in
D istributed Lock Manager, also known as D LM) are not interruptible when they wait for
another POSIX lock. Previously, processes that created a deadlock with POSIX locks could
not be killed to resolve the problem, and one node had to be reset. D LM now uses a new
kernel feature that allows the waiting process to be killed, and information about the killed
process is now passed to the dlm_controld daemon to be cleaned up. Processes
deadlocked on GFS2 POSIX locks can now be recovered by killing one or more of them.
B Z #719 135
Prior to this update, boundaries for the locktable and label fields in the GFS2 superblock
were not properly checked by the tunegfs2 tool. As a consequence, running the " gfs2_tool
sb" command could terminate unexpectedly with buffer overflow. In addition, invalid
characters could be printed when using tunegfs2 to change locktable or label to a minimum
or maximum length (63 characters). The tunegfs tool has been modified to check the correct
boundaries of the locktable and label fields. As a result, tunegfs2 no longer creates invalid
locktables or labels, and therefore gfs2_tool prints the superblock values properly.
B Z #74 0385
When executing the cman utility by using the init script with enabled debugging, a file
descriptor leaked. The file pointed to the file descriptor would continue to grow endlessly,
filling up the /tmp file system. This update ensures that the file descriptor is closed after a
successful cman startup. Space in /tmp is now released correctly.
B Z #6 9 579 5
The cman utility implements a complex set of checks to configure the Totem protocol. One of
the checks that copies the configuration data was incorrect and the transport protocol
option was not handled correctly as a consequence. A patch has been applied to address
this issue and cman now handles the transport option properly.
B Z #6 79 56 6
When the user executed the " gfs2_edit savemeta" command to save the metadata for a
target GFS2 file system, not all of the directory information was saved for large directories. If
the metadata was restored to another device, the fsck.gfs2 tool found directory corruption
because of a missing leaf block. This was due to gfs2_edit treating the directory leaf index
(also known as the directory hash table) like a normal data file. With this update,
gfs2_edit's savemeta function is modified to actually read all the data (the directory hash
table) for large directories and traverse the hash table, saving all the leaf blocks. Now, all
leaf blocks are saved properly.
72
B Z #6 79 080
When the fsck.gfs2 tool was resolving block references and no valid reference was found,
the reference list became empty. As a consequence, fsck.gfs2 check in pass1b terminated
unexpectedly with a segmentation fault. With this update, pass1b is modified to check that
the list is empty. The segmentation fault no longer occurs and fsck.gfs2 proceeds as
expected.
B Z #731775
The dlm_controld daemon passed error results back to the kernel for POSIX unlock
operations flagged with CLOSE. As a consequence, the kernel displayed the " dlm: dev_write
no op" error messages, most of them when using non-POSIX locks, flocks. The
dlm_controld daemon has been fixed to not pass error results to the kernel for POSIX
unlock operations flagged with CLOSE. As a result, error messages no longer appear.
B Z #729 071
Previously, the mount.gfs2 utility passed the " loop" option to the GFS2 kernel module
which treated it as an invalid option. Mounting a GFS2 file system on loopback devices
failed with an " Invalid argument" error message. With this update, mount.gfs2 is modified to
avoid passing the " loop" option to the kernel. Mounting GFS2 systems on loopback
devices now works as expected.
B Z #728230
Missing sanity checks related to the length of a cluster name caused the cman utility to fail
to start. The correct sanity checks have been implemented with this update. The cman utility
starts successfully and informs the user of the incorrect value of the cluster name, if
necessary.
B Z #726 06 5
The XML format requires special handling of certain special characters. Handling of these
characters was not implemented correctly, which caused the cluster.conf file to not function
as expected. Correct handling of the characters has been implemented and cluster.conf
now works as expected.
B Z #706 14 1
The exact device/mount paths were not compared due to incorrect logic in mount.gfs2 when
trying to find mtab entries for deletion. The original entry was not found during remounts
and therefore was not deleted. This resulted in double mtab entries. With this update, the
realpath() function is used on the device/mount paths so that they match the content of
mtab. As a result, the correct original mtab entry is deleted during a remount, and a
replacement entry with the new mount options is inserted in its place.
B Z #7206 6 8
Previously, mkfs.gfs2 treated normal files incorrectly as if they were block devices.
Attempting to create a GFS2 file system on a normal file caused mkfs.gfs2 to fail with a " not
a block device" error message. Additional checks have been added so that mkfs.gfs2 does
not call functions specific for block devices on normal files. GFS2 file systems can now be
created on normal files. However, use of GFS2 in such cases is not recommended.
B Z #719 126
The tunegfs2 command line usage message was not updated to reflect the available
arguments which are documented in the man page. As a consequence, tunegfs2 printed an
inaccurate usage message. The usage message has been updated and tunegfs2 now
73
prints an accurate message.
B Z #719 124
Previously, certain argument validation functions did not return error values, and tunegfs2
therefore printed confusing error messages instead of exiting quietly. Error handling has
been improved in these validation functions, and tunegfs2 now exits quietly instead of
printing the confusing messages.
B Z #6 9 4 823
Previously, the gfs2_tool command printed the UUID (Universally Unique Identifier) output
in uppercase. Certain applications expecting the output being in lowercase (such as
mount) could have malfunctioned as a consequence. With this update, gfs2_tool is
modified to print UUID s in lowercase so that they are in a commonly accepted format.
B Z #7359 17
The qdisk daemon did not allow cman to upgrade the quorum disk device name. The
quorum disk device name was not updated when the device was changed and, in very rare
cases, the number of qdiskd votes would therefore not be correct. A new quorum API call
has been implemented to update the name and votes of a quorum device. As a result,
quorum disk device names and votes are updated consistently and faster than before.
B Z #6 83104
Prior to this update, the fsck.gfs2 utility used the number of entries in the journal index to
look for missing journals. As a consequence, if more than one journal was missing, not all
journals were rebuilt and subsequent runs of fsck.gfs2 were needed to recover all the
journals. Each node needs its own journal; fsck.gfs2 has therefore been modified to use the
" per_node" system directory to determine the correct number of journals to repair. As a
result, fsck.gfs2 now repairs all the journals in one run.
B Z #6 6 339 7
Previously, token timeout intervals of corosync were larger than the time it took a failed
node to rejoin the cluster. Consequently, corosync did not detect that a node had failed
until it rejoined. The failed node had been added again before the dlm_controld daemon
asked corosync for the new member list, but dlm_controld did not notice this change. This
eventually caused the D LM (D istributed Lock Manager) lockspace operations to get stuck.
With this update, dlm_controld can notice that a node was removed and added between
checks by looking for a changed incarnation number. Now, dlm_controld can properly
handle nodes that are quickly removed and added again during large token timeouts.
B Z #7329 9 1
Previously, if a cluster was configured with a redundant corosync ring, the dlm_controld
daemon would log harmless EEXIST errors, " mkdir failed: 17" . This update removes these
error messages so that they no longer appear.
En h an cemen t s
B Z #73334 5
The corosync IPC port allows, when configured correctly, non-privileged users to access
corosync services. Prior to this update, the cman utility did not handle such connections
correctly. As a consequence, users were not able to configure unprivileged access to
corosync when it was executed using cman. This update adds support to cman to
74
configure unprivileged access. As a result, configured users and groups can now access
corosync services without root privileges.
B Z #6 809 30
This update introduces dynamic schema generation, which provides a lot of flexibility for
end users. Users can plug into Red Hat Enterprise Linux High Availability Add-On custom
resource and fence agents, and still retain the possibility to validate their cluster.conf file
against those agents.
B Z #7326 35, B Z #7359 12
This update adds support for Redundant Ring Protocol, which aligns the default
configuration of cman with corosync. Note that this enhancement is included as a
Technology Preview.
B Z #702313
Previously, gfs2_edit saved GFS2 metadata uncompressed. Saved GFS2 metadata sets
could have filled up a lot of storage space, and transferring them (for example, for support
and debugging) would be slow. This update adds gzip compression to the metadata
saving and restoring functions of gfs2_edit. GFS2 metadata sets are now compressed
when saving and decompressed when restoring them. The user can specify the
compression level with a command line option.
B Z #704 178
With this update, the tunegfs2 utility replaces the superblock manipulating feature of
gfs2_tool.
B Z #6 73575
Previously, the fence_scsi agent did not reboot a node when it was fenced. As a
consequence, the node had to be rebooted manually before rejoining the cluster. This
update provides a script for detecting loss of SCSI reservations. This can be used in
conjunction with the watchdog package in order to reboot a failed host.
Users of cluster and gfs2-utils are advised to upgrade to these updated packages, which fix these
bugs and add these enhancements.
4 .29.3. RHBA-2012:0575 — clust er and gfs2-ut ils bug fix updat e
Updated cluster and gfs2-utils packages that fix one bug are now available for Red Hat Enterprise
Linux 6.
The Red Hat Cluster Manager is a collection of technologies working together to provide data
integrity and the ability to maintain application availability in the event of a failure. Using redundant
hardware, shared disk storage, power management, and robust cluster communication and
application failover mechanisms, a cluster can meet the needs of the enterprise market.
Bug Fix
B Z #820357
Prior to this update, the cmannotifyd did not correctly generate a cluster status notification
message at first cluster startup. This update addresses the problem and now cmannotifyd
will correctly trigger the notification hooks when the daemon is started.
75
All users of cluster and gfs2-utils are advised to upgrade to these updated packages, which fix this
bug.
4 .30. clust ermon
4 .30.1. RHEA-2011:1550 — clust ermon bug fix updat e
Updated clustermon packages that fix a bug and add an enhancement are now available for Red Hat
Enterprise Linux 6.
The clustermon packages are used for remote cluster management.
Bug Fix
B Z #6 34 373
Previously, the clustermon tool failed to shut down nodes if the user had mounted a GFS2
file system that was not listed in the /etc/fstab file. This was caused by clustermon relying on
the rgmanager tool and the GFS2 init scripts to unmount all file systems, but the cluster
stack would not stop properly if the user mounted the file system manually. This has been
fixed: clustermon now ensures that there are no cluster file systems mounted and then
attempts to stop the cluster stack.
Enhance m e nt
B Z #724 9 78
The " get_cluster_schema" function call has been added to allow users to easily get the XML
cluster schema content.
All users of clustermon are advised to upgrade to this updated packages, which resolves this bug.
4 .31. coolkey
4 .31.1. RHEA-2011:1738 — coolkey enhancement updat e
An enhanced coolkey package is now available for Red Hat Enterprise Linux 6.
The coolkey package contains driver support for CoolKey and Common Access Card (CAC) smart
card products.
Enhance m e nt s
B Z #5786 9 0
This update adds support for Personal Identity Verification (PIV) smart cards.
B Z #7009 07
Common Access Cards (CAC) are defined to have exactly three certificates. However, some
cards that used the CAC interface supplied one or two certificates only, which may have
caused the coolkey utility to fail. CAC smart cards that contain less than three certificates
are now supported.
76
Users of PIV and CAC smart cards are advised to upgrade to this updated package, which adds
these enhancements.
4 .32. coreut ils
4 .32.1. RHBA-2011:1693 — coreut ils bug fix updat e
Updated coreutils packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The coreutils packages contain the core GNU utilities. These packages combine the old GNU fileutils,
sh-utils, and textutils packages.
Bug Fixe s
B Z #6 9 129 2
Prior to this update, SELinux appeared to be disabled when building coreutils in Mock. As
a result, coreutils did not build. With this update, SELinux determines more precisely
whether it is disabled or not. Now, the packages are built successfully.
B Z #703712
Previously, incorrect signal handling could cause various problems for tcsh users logging
into the root shell using the su utility. Signal masking in the subshell called by the su utility
has been modified to respect the SIGTSTP signal as well as the SIGSTOP signal.
B Z #715557
When using the " -Z /--context" option in the cp utility, the SELinux context of a file was not
changed if the file destination already existed. The utility has been modified and the context
is changed as expected. However, this option is not portable to other systems.
B Z #720325
Prior to this update, the acl_extended_file() function could cause unnecessary mounts of
autofs when using the ls command on a directory with autofs mounted. This update adds
the new acl function, acl_extended_file_nofollow(), to prevent unnecessary autofs mounts.
B Z #7256 18
The description of the " --sleep-interval" option in the tail(1) manual page has been
improved to be clearer about the behavior and to match the upstream version of coreutils.
All users of coreutils are advised to upgrade to these updated packages, which fix these bugs.
4 .33. corosync
4 .33.1. RHBA-2012:1214 — corosync bug fix updat e
Updated corosync packages that fix a bug are now available for Red Hat Enterprise Linux 6
Extended Update Support.
The corosync packages provide the Corosync Cluster Engine and C Application Programming
Interfaces (APIs) for Red Hat Enterprise Linux cluster software.
B u g Fix
77
B Z #84 9 553
Previously, the corosync-notifyd daemon, with dbus output enabled, waited 0.5 seconds
each time a message was sent through dbus. Consequently, corosync-notifyd was
extremely slow in producing output and memory of the Corosync server grew. In addition,
when corosync-notifyd was killed, its memory was not freed. With this update, corosyncnotifyd no longer slows down its operation with these half-second delays and Corosync
now properly frees memory when an IPC client exits.
Users of corosync are advised to upgrade to these updated packages, which fix this bug.
4 .33.2. RHBA-2011:1515 — corosync bug fix and enhancement updat e
Updated corosync packages that fix multiple bugs and add various enhancements are now available
B u g Fixes
B Z #6 77583
Prior to this update, the corosync-blackbox command could, under certain circumstances,
produce a backtrace in the output and consequently terminate with a segmentation fault.
With this update, Corosync creates correct fdata files and also corosync-fplay is more
resistant when dealing with incorrect fdata files.
B Z #6 77583
Prior to this update, cpg did not use the " left_nodes" field in the downlist message. As a
consequence, a node could miss a configuration change and report larger old_members
than expected if one node was paused. This update modifies the downlist so that the
" left_nodes" field is used. Now, the membership events are correct.
B Z #6 9 26 20
Prior to this update, cpg did not use the " left_nodes" field in the downlist message. As a
consequence, a node could miss a configuration change and report larger old_members
than expected if one node was paused. This update modifies the downlist so that the
" left_nodes" field is used. Now, the membership events are correct.
B Z #6 9 6 883
Prior to this update, running Corosync could cause a segmentation fault on multiple nodes
when executed via CMAN. This update modifies the code so that executing Corosync via
CMAN no longer causes segmentation faults with the pacemaker test suite.
B Z #6 9 6 887
Prior to this update, the reference counting on the configuration server in Corosync was
incorrect. As a consequence, terminating the corosync-cfgtool -r command before
completing caused a segmentation fault. This update adds the correct reference counting
for each architecture. Now, Corosync no longer encounters segmentation faults in this
situation.
B Z #70786 0
78
Prior to this update, Corosync could terminate with a segmentation fault if it ran out of
available open files. This update handles the maximum number of open files more
gracefully. Now, Corosync no longer crashes when going over open file limits.
B Z #70786 7
Prior to this update, corosync-objctl could not create a new object/key and display double
or float values. This update adds float and double support to corosync-objctl. Now,
corosync-objctl can display object values with double or float types.
B Z #707873
Prior to this update, Corosync could terminate with a segmentation fault if it encountered a
negative value for the message type on systems where char is signed. This update
improves the check of the message type for incoming messages.
B Z #707875
Prior to this update, an error message was wrongly displayed if files in the service.d
directory differed from the service key. With this update, Corosync longer checks for sub
parameters in files in the service.d directory. Now, files in service.d directory can contain
every possible configuration option.
B Z #709 758
Prior to this update, Corosync used a spinlock around I/O operations. As a consequence,
Corosync consumed an extremely high portion of the central processing unit (CPU) when
running a large amount of inter-process communication (IPC) operations because the
spinlocks would spin during I/O. This update replaces the spinlock with a mutual exclusion
(mutex), which releases the processor from spinning but enforces correct behavior.
B Z #712115
Prior to this update, an incorrect mutex in the internal confdb data storage system could,
under certain circumstances, cause Corosync to terminate with a segmentation fault. This
update corrects the mutex and objdb API iteration no longer causes Corosync to terminate
with a segmentation fault.
B Z #712188
Prior to this update, Corosync became locked with contrived test cases when the tracking
functionality of the internal object database was enabled if it was under heavy load. This
update modifies Corosync so that the tracking functionality under heavy load no longer
causes Corosync to lock up.
B Z #725058
Prior to this update, retransmit list errors could occur on slower hardware due to high
multicast traffic and slow CPU usage. This update processes the multicast buffer queue
more frequently and retransmit errors are now less probable.
B Z #7326 9 8
Prior to this update, Corosync sometimes terminated unexpectedly when Corosync ran the
cman_tool join and cman_tool leave commands in a loop. This update modifies the code
so that no more segmentation faults occur in such situations.
En h an cemen t s
B Z #529 136
79
Prior to this update, the protocol in Corosync unnecessarily copied memory on AMD 64 and
EM64T architectures to align data structures for architectures which do not handle
alignment correctly. As a consequence, the utilization of the central processing unit (CPU)
was increased. This update can conditionally avoid copies on unaligned safe architectures
such as Intel 80386, AMD 64, and EM64T architectures. Now the CPU utilization is reduced
by around 20% .
B Z #59 9 327
Prior to this update, no diagnostic message was available when the multicast was blocked.
As a consequence, each partition lost quorum which never remerged. This update displays
a diagnostic warning that the node can not exit the GATHER state when a local NIC
(network interface card) fault occurs or the firewall prevents totem from forming a cluster. In
addition, the runtime.totem.pg.mrp.srp.firewall_enabled_or_nic_failure key is now set to 1.
B Z #6 6 76 52
Prior to this update, fenced nodes where not safely powered up due to issues with the boot
sequence. As a consequence, users had to skip cluster services at boot to avoid problems
such as long response times and fences in two-node clusters. With this update, setting the
nocluster boot parameter prevents Corosync to start automatically.
B Z #6 8826 0
Prior to this update, configuring two rings with different IP subnets only duplicated the IP
address data of one ring. This update adds support for the redundant ring functionality to
Corosync as a Technology Preview.
B Z #707876
Prior to this update, the corosync init script did not depend on syslog. As a consequence,
syslog logging did not work if the user turned off syslog. This update adds syslog as a
dependency to the init script. Now, logging works in all cases.
B Z #7224 6 9
Prior to this update, configuring two rings with different IP subnets only duplicated the IP
address data of one ring. This update adds support for the redundant ring functionality to
Corosync as a Technology Preview.
All co ro syn c users are advised to upgrade to these updated packages, which fix these bugs and
Updated corosync packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Bug Fix
B Z #79 1236
Previously, the range condition for the update_aru() function could cause incorrect check
of message ID s. D ue to this, in rare cases, the corosync utility entered the " FAILED TO
RECEIVE" state, and so failed to receive multicast packets. With this update, the range value
in the update_aru() function is no longer checked for; the fail_to_recv_const constant
80
performs such checks. Now, corosync does not fail to receive packets.
All users of corosync are advised to upgrade to these updated packages, which fix this bug.
4 .33.4 . RHBA-2012:0536 — corosync bug fix updat e
The corosync packages provide the Corosync Cluster Engine and the C language APIs for Red Hat
Enterprise Linux cluster software.
Bug Fix
B Z #8109 17
Previously, the underlying library of corosync did not delete temporary buffers used for
Inter-Process Communication (IPC) that are stored in the /dev/shm shared memory file
system. Therefore, if the user without proper privileges attempted to establish an IPC
connection, the attempt failed with an error message as expected but memory allocated for
temporary buffers was not released. This could eventually result in /dev/shm being fully
used and D enial of Service. This update modifies the coroipcc library to let applications
delete temporary buffers if the buffers were not deleted by the corosync server. The /dev/shm
file system is no longer cluttered with needless data in this scenario and IPC connections
can be established as expected.
Bug Fix
B Z #8284 32
Previously, it was not possible to activate or deactivate debug logs at runtime due to
memory corruption in the objdb structure. With this update, the debug logging can now be
activated or deactivated on runtime, for example with the command " corosync-objctl -w
logging.debug=off" .
Updated corosync packages that fix one bug are now available for Red Hat Enterprise Linux 6
The Corosync packages provide the Corosync Cluster Engine and C Application Programming
B u g Fix
B Z #9 29 09 8
81
When running applications which used the Corosync IPC library, some messages in the
dispatch() function were lost or duplicated. This update properly checks the return values
of the dispatch_put() function, returns the correct remaining bytes in the IPC ring buffer, and
ensures that the IPC client is correctly informed about the real number of messages in the
ring buffer. Now, messages in the dispatch() function are no longer lost or duplicated.
Users of corosync are advised to upgrade to these updated packages, which fix this bug.
4 .34 . cpufrequt ils
4 .34 .1. RHBA-2011:1224 — cpufrequt ils bugfix updat e
An updated cpufrequtils package that fixes a bug is now available for Red Hat Enterprise Linux 6.
The cpufrequtils package contains utilities that can be used to control the cpufreq interface provided
by the kernel on hardware that supports CPU frequency scaling.
Bug Fix
B Z #6 75734
Prior to this update, the cpufreq-aperf utility did not run on 32-bit systems due to an
incorrect argument passed to the read() call. This problem has been fixed: the buffer size is
now used instead of the size of the pointer and the cpufreq-aperf utility runs as expected.
All users of cpufrequtils are advised to upgrade to this updated package, which resolves this bug.
4 .35. crash
4 .35.1. RHBA-2011:164 8 — crash bug fix and enhancement updat e
An updated crash package that fixes various bugs and adds several enhancements is now available
The crash package provides a self-contained tool that can be used to investigate live systems, and
kernel core dumps created from the netdump, diskdump, kdump, and Xen/KVM " virsh dump" facilities
from Red Hat Enterprise Linux.
B Z #71019 3
The crash package has been upgraded to upstream version 5.1.8, which provides a
number of enhancements and bug fixes over the previous version.
Bug Fixe s
B Z #70514 2
Previously, compressed kdump dump files were handled incorrectly on AMD 64 and Intel 64
architectures if a system contained more than 454 CPUs. In such a case, the crash session
terminated during initialization with the " crash: compressed kdump: invalid nr_cpus value:
[cpus]" error message. A patch has been provided to address this issue, and the
compressed dump files are now handled properly, thus fixing this bug.
B Z #716 9 31
82
When the first chunk of physical memory on a system was assigned to NUMA (Non-Uniform
Memory Architecture) node 1 (typically it is assigned to NUMA node 0), the " kmem -s" or
" kmem -S" command incorrectly showed all cache blocks allocated by the slab allocator as
empty. This bug has been fixed, and the kmem command now shows populated
kmem_cache slab data correctly.
B Z #712214
In a rare scenario, a non-crashing CPU received a shutdown NMI (non-maskable interrupt)
immediately after receiving an interrupt from another source. Because the IRQ entry-point
symbols " IRQ0x00_interrupt" through " IRQ0x##_interrupt" no longer existed, the bt
command terminated with the " bt: cannot transition from exception stack to current process
stack" error message on AMD 64 and Intel 64 architectures. This bug has been fixed, and
backtrace now properly transitions from the NMI stack back to the interrupted process
stack.
Enhance m e nt s
B Z #6 9 54 13
The crash.8 man page and the associated built-in " crash -h" output have been re-written.
The crash.8 man page now clarifies the required invocation options, adds all of the rarelyused command line options that have proliferated over the years, and updates the
ENVIRONMENT variables section. The " crash -h" output now closely mimics the relevant
parts of the crash.8 man page.
B Z #7034 6 7
With this update, the new " --osrelease [dump_file]" command line option that displays the
OSRELEASE vmcoreinfo string from a kdump dump file has been added.
Users of crash are advised to upgrade to this updated package which fixes these bugs and adds
these enhancements.
4 .36. cront abs
4 .36.1. RHBA-2011:0872 — cront abs bug fix updat e
An updated crontabs package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The crontabs package contains root crontab files and directories. You will need to install the cron
daemon to run the jobs from crontabs. The cron daemon such as cronie or fcron checks the crontab
files to see when particular commands are scheduled to be executed. If commands are scheduled, it
executes them. Crontabs handles a basic system function, so it should be installed on your system.
Bug Fix
B Z #6 09 54 4
Prior to this update, an example included in the /etc/crontab file contained an omission. It
did not state that defining a job in crontab requires a username to be defined. The missing
information has been added to the /etc/crontab file in this update.
All users of crontabs are advised to upgrade to this updated package, which fixes this bug.
4 .37. crypt set up-luks
83
4 .37.1. RHBA-2011:1688 — crypt set up-luks bug fix and enhancement updat e
Updated cryptsetup-luks packages that fix several bugs and add an enhancement are now available
The cryptsetup-luks packages provide a utility which allows users to set up encrypted devices with
the D evice Mapper and the dm-crypt target.
Bug Fixe s
B Z #7134 10
When the cryptsetup or libcryptsetup utility was run in FIPS (Federal Information
Processing Standards) mode, the " Running in FIPS mode." message was displayed during
initialization of all commands. This sometimes caused minor issues with associated scripts.
This bug has been fixed and the message is now displayed only in verbose mode.
B Z #732179
Prior to this update, several directives were missing in cryptsetup status command
implementation. Therefore, the cryptsetup status command always returned the exit code 0
when verifying the status of a mapped device. To fix this issue, the code has been modified.
The cryptsetup status command now returns the 0 value only if the device checked is active.
Enhance m e nt
B Z #7019 36
Previously, the libcryptsetup crypt_get_volume_key() function allowed to perform an action
not compliant with FIPS. To conform FIPS requirements, the function is now disabled in
FIPS mode and returns an EACCES error code to indicate it. Note that the " luksD ump -dump-master-key" command and the key escrow functionality of the volume_key package
are also disabled in FIPS mode as a consequence of this update.
All users of cryptsetup-luks are advised to upgrade to these updated packages, which fix these bugs
and add this enhancement.
4 .38. ct db
4 .38.1. RHBA-2011:1574 — ct db bug fix and enhancement updat e
Updated ctdb packages that fix one bug and add one enhancement are now available for Red Hat
Enterprise Linux 6.
The ctdb packages provide a clustered database based on Samba's Trivial D atabase (TD B) used to
store temporary data.
The ctdb packages have been upgraded to upstream version 1.0.114, which provides a number of
bug fixes over the previous version. (BZ #701944)
Bug Fix
B Z #72854 5
84
Prior to this update, the ctdb daemon leaked a file descriptor to anon_inodefs. This update
modifies ctdb so that this file discriptor can no longer leak.
Enhance m e nt
B Z #6 726 4 1
This update adds support for Clustered Samba on top of GFS2 as a Technology Preview.
All users of ctdb are advised to upgrade to these updated packages, which fix these bugs and add
this enhancement.
4 .39. cups
4 .39.1. RHSA-2011:1635 — Low: cups securit y and bug fix updat e
Updated cups packages that fix one security issue and several bugs are now available for Red Hat
Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. A
The Common UNIX Printing System (CUPS) provides a portable printing layer for UNIX operating
systems.
Secu rit y Fix
C VE- 2011- 289 6
A heap-based buffer overflow flaw was found in the Lempel-Z iv-Welch (LZ W)
decompression algorithm implementation used by the CUPS GIF image format reader. An
attacker could create a malicious GIF image file that, when printed, could possibly cause
CUPS to crash or, potentially, execute arbitrary code with the privileges of the " lp" user.
Bug Fixe s
B Z #6 81836
Previously CUPS was not correctly handling the language setting LANG=en_US.ASCII. As a
consequence lpadmin, lpstat and lpinfo binaries were not displaying any output when the
LANG=en_US.ASCII environment variable was used. As a result of this update the problem
is fixed and the expected output is now displayed.
B Z #706 6 73
Previously the scheduler did not check for empty values of several configuration directives.
As a consequence it was possible for the CUPS daemon (cupsd) to crash when a
configuration file contained certain empty values. With this update the problem is fixed and
cupsd no longer crashes when reading such a configuration file.
B Z #709 89 6
Previously when printing to a raw print queue, when using certain printer models, CUPS
was incorrectly sending SNMP queries. As a consequence there was a noticeable 4-second
delay between queueing the job and the start of printing. With this update the problem is
fixed and CUPS no longer tries to collect SNMP supply and status information for raw print
85
queues.
B Z #7124 30
Previously when using the BrowsePoll directive it could happen that the CUPS printer
polling daemon (cups-polld) began polling before the network interfaces were set up after a
system boot. CUPS was then caching the failed hostname lookup. As a consequence no
printers were found and the error, " Host name lookup failure" , was logged. With this update
the code that re-initializes the resolver after failure in cups-polld is fixed and as a result
CUPS will obtain the correct network settings to use in printer discovery.
B Z #735505
The MaxJobs directive controls the maximum number of print jobs that are kept in memory.
Previously, once the number of jobs reached the limit, the CUPS system failed to
automatically purge the data file associated with the oldest completed job from the system
in order to make room for a new print job. This bug has been fixed, and the jobs beyond the
set limit are now properly purged.
B Z #74 4 79 1
The cups init script (/etc/rc.d/init.d/cups) uses the daemon function (from
/etc/rc.d/init.d/functions) to start the cups process, but previously it did not source a
configuration file from the /etc/sysconfig/ directory. As a consequence, it was difficult to
cleanly set the nice level or cgroup for the cups daemon by setting the NICELEVEL or
CGROUP_D AEMON variables. With this update, the init script is fixed.
All users of CUPS are advised to upgrade to these updated packages, which contain backported
patches to resolve these issues. After installing this update, the cupsd daemon will be restarted
automatically.
4 .39.2. RHBA-2012:04 18 — cups bug fix updat e
Updated cups packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The Common UNIX Printing System (CUPS) provides a portable printing layer for Linux, UNIX, and
similar operating systems.
Bug Fix
B Z #8034 19
Previously, empty jobs could be created using the " lp" command either by submitting an
empty file to print (for example by executing " lp /dev/null" ) or by providing an empty file as
standard input. In this way, a job was created but was never processed. With this update,
creation of empty print jobs is not allowed, and the user is now informed that no file is in the
request.
All users of cups are advised to upgrade to these updated packages, which fix this bug.
4 .4 0. curl
4 .4 0.1. RHBA-2012:04 30 — curl bug fix updat e
Updated curl packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
86
The curl packages provide the libcurl library and the cURL command line tool for transferring data
using various protocols, including HTTP, FTP, FILE, LD AP, TELNET, TFTP, SCP. Both, libcurl and
cURL, support many useful capabilities, such as user authentication, proxy support, FTP uploading,
HTTP POST and PUT methods, SSL certificates, and file transfer resume.
Bug Fixe s
B Z #8009 03
Previously, SSL connections could not be established with libcurl if the selected Network
Security Services (NSS) database was broken or invalid. This update modifies the code of
libcurl to initialize NSS without a valid database, which allows applications to establish
SSL connections as expected in this scenario.
B Z #8009 04
The OpenLD AP suite was recently modified to use NSS instead of OpenSSL as the SSL
back end. This change led to collisions between libcurl and OpenLD AP on NSS
initialization and shutdown. Consequently, applications that were using both, libcurl and
OpenLD AP, failed to establish SSL connections. This update modifies libcurl to use the
same NSS API as OpenLD AP, which prevents collisions from occurring. Applications using
OpenLD AP and libcurl can now connect to the LD AP server over SSL as expected.
All users of curl are advised to upgrade to these updated packages, which fix these bugs. All running
applications that use libcurl have to be restarted for this update to take effect.
4 .4 1. cvs
4 .4 1.1. RHSA-2012:0321 — Moderat e: cvs securit y updat e
Updated cvs packages that fix one security issue are now available for Red Hat Enterprise Linux 5
and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A
Concurrent Version System (CVS) is a version control system that can record the history of your files.
Secu rit y Fix
C VE- 2012- 0804
A heap-based buffer overflow flaw was found in the way the CVS client handled responses
from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to
crash or, possibly, execute arbitrary code with the privileges of the user running the CVS
client.
All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct
this issue.
4 .4 2. cyrus-imapd
4 .4 2.1. RHBA-2012:0708 — cyrus-imapd bug fix updat e
87
Updated cyrus-imapd packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The cyrus-imapd packages contain a high-performance mail server with IMAP, POP3, NNTP, and
SIEVE support.
Bug Fix
B Z #818209
Previously, the idled daemon incorrectly used signals for communication with the imapd
daemon. This could cause a user's mailbox to become unresponsive. To prevent this
problem, idled no longer uses signals to communicate with imapd; the AF_UNIX datagram
sockets are now used instead.
All users of cyrus-imapd are advised to upgrade to these updated packages, which fix this bug.
4 .4 3. cyrus-sasl
4 .4 3.1. RHBA-2011:1687 — cyrus-sasl bug fix and enhancement updat e
Updated cyrus-sasl packages that fix two bugs and add one enhancement are now available for Red
The cyrus-sasl packages contain the Cyrus implementation of the Simple Authentication and
Security Layer (SASL), a method for adding authentication support to connection-based protocols.
Bug Fixe s
B Z #7204 51
Prior to this update, the ntlm plug-in did not work due to a code error. This update modifies
the source code so that the plug-in now works as expected.
B Z #73024 2
Prior to this update, creating the user ID and the group ID of the saslauth daemon caused
conflicts. This update corrects this behavior and now the saslauth daemon works as
expected.
B Z #73024 6
Prior to this update, cyrus-sasl displayed redundant warnings during the compilation. With
this update, cyrus-sasl has been modified and now works as expected.
Enhance m e nt
B Z #727274
This update adds support of partial Relocation Read-Only (RELRO) for the cyrus-sasl
libraries.
All users of cyrus-sasl are advised to upgrade to these updated packages, which fix these bugs and
add this enhancement.
4 .4 4 . device-mapper-mult ipat h
88
4 .4 4 .1. RHBA-2011-1527 — device-mapper-mult ipat h bug fix and
enhancement updat e
Updated device-mapper-multipath packages that fix multiple bugs and add various enhancements are
The device-mapper-multipath packages provide tools to manage multipath devices using the devicemapper multipath kernel module.
B u g Fixes
B Z #6 774 4 9
D M Multipath removed a device if it failed to check the device status due to insufficient
memory. This happened because the command checking if the device map existed failed as
the system returned an error. With this update, Multipath no longer returns an error under
these circumstances and no devices are removed if the system runs out of memory while
checking device status.
B Z #6 786 73
If a device-mapper-multipath device was open but all attached device paths had been lost,
the device was unable to create a new table with no device paths. As a concequence the
mul ti path -l l command returned output indicating that no paths to the device were
available with confusing " failed faulty running" rows presenting the missing paths.
Multipath devices now reload tables with no device paths correctly.
B Z #6 89 504
D evice paths could fail even if unavailable only temporarily. This happened because the
RD AC (Redundant D isk Array Controller) checker function did not recheck the status of
hosts if it had received a temporary error code. The function now rechecks the path after it
has received such error codes and the path failures are transient as expected.
B Z #6 9 7386
A previous bug fix introduced a race condition between the main thread and the thread
running the checkerloop routine as the checkerloop thread was created with deferred
cancellation type. The checkerloop thread continued running and attempted to access a
property, which had been previously unallocated by the main thread. This caused the
multipathd daemon to shutdown with a segmentation fault. Now the checkerloop thread
checks if a shutdown is in progress and the deamon shuts down gracefully.
B Z #70016 9
The Multipath daemon failed to include some ghost paths when counting the number of
active paths; however, when the ghost paths failed, they were subtracted from the number of
active paths. This caused multipathd to fail IO requests even though some paths were still
available. The Multipath daemon now counts ghost paths correctly and no longer fails IO
requests while there are still active paths available.
B Z #705854
If the user set dev_loss_tmo to a value greater than 600 in mul ti path. co nf without
setting the fast_io_fail_tmo value, the multipathd daemon did not notify the user that
fast_io_fail_tmo was not set. Multipath now issues a warning that fast_io_fail_tmo is not set
under such circumstances.
B Z #706 555
89
On shared-storage multipath setups that set failback to manual , multipath could keep
alternating from the failover pathgroup to the primary pathgroup infinitely. This happened
because multipath was incorrectly failing back to the primary pathgroup whenever a path
priority changed. With this update, multipath no longer fails back to the primary pathgroup
when a path's priority changes under such circumstances.
B Z #70756 0
If the multipath device was deleted while a path was being checked, mul ti pathd did not
abort the path check and terminated unexpectedly when trying to access the multipath
device information. The Multipath daemon now aborts any path checks when the multipath
device is removed and the problem no longer occurs.
B Z #714 821
The Multipath daemon was removing a multipath device twice. This could cause multipathd
to access memory already used for another purpose, and caused the multipathd daemon to
terminate unexpectedly. The multipathd daemon now removes the device once and the
problem no longer occurs.
B Z #719 571
The kpartx utility built partition devices for invalid GUID partition tables (GPT) because it
did not validate the size of GUID partitions. The kpartx utility now checks the partition size,
and does not build devices for invalid GPTs.
B Z #72316 8
Multipath previously returned an unclear error message when it failed to find rport_id. The
returned message and its severity have been adjusted.
B Z #72554 1
Several upstream commits have been included in the device-mapper-multipath package
providing a number of bug fixes and enhancements over the previous version.
B Z #73829 8
Anaconda failed to recognize an existing filesystem on a zSeries Linux fibre-channel
adapter (zFCP) LUN and marked it as 'Unknown' when reinstalling the system. This
happened due to an incorrect setting of the D M_UD EV_D ISABLE_D ISK_RULES_FLAG
property. Filesystem on a multipath zFCP LUN is now correctly recognized during the
installation.
B Z #74 76 04
The asynchronous TUR path checker caused multipathd to terminate unexpectedly due to
memory corruption. This happened if multipathd attempted to delete a path while the
asynchronous TUR checker was running on the path. The asynchronous TUR checker
code has been removed, and multipathd no longer crashes on path removal.
En h an cemen t s
B Z #6 36 009
Multipath now supports up to 8000 device paths.
B Z #6 836 16
To provide support for Asymmetric Logical Unit Access (ALUA), the RD AC checker has been
90
modified to work better with devices in IOSHIP mode. The checker now sets the Task
Aborted Status (TAS) bit to 1 if the TAS bit is set to 0 and changeable on a LUN (Logical
Unit Number) discovery. The function now also reports PATH_UP for both the path groups
in the RD AC storage in IOSHIP mode.
B Z #6 9 4 6 02
To run multipath on IBM BladeCenter S-series with RAID ed Shared Storage Module (RSSM)
demanded a manual multipath configuration to enable RSSM. Multipath now configures the
server automatically.
B Z #6 9 9 577
The text in the d efaul ts mul ti paths d evi ces sections of the mul ti path. co nf man
page has been improved to provide a better clarification.
B Z #713754
The rr_mi n_i o _rq option has been added to the d efaul t, d evi ces, and mul ti paths
sections of the mul ti path. co nf file. This option defines the number of I/O requests to
route to a path before switching to the next path in the current path group. Note that the
rr_mi n_i o option is no longer used.
B Z #7104 78
UID , GID , and mode owner settings defined in /etc/mul ti path. co nf for a multipath
device are ignored. These access permissions are now set with the udev rules.
Users are advised to upgrade to these updated device-mapper-multipath packages, which fix these
4 .4 4 .2. RHBA-2012:0502 — device-mapper-mult ipat h bug fix updat e
Updated device-mapper-multipath packages that fix one bug are now available for Red Hat
Enterprise Linux 6.
The device-mapper-multipath packages provide tools to manage multipath devices using the devicemapper multipath kernel module.
Bug Fix
B Z #8024 33
D evice-Mapper Multipath uses certain regular expressions in the built-in device
configurations to determine a multipath device so that the correct configuration can be
applied to the device. Previously, some regular expressions for the device vendor and
product ID were set too broad. As a consequence, some devices could be matched with
incorrect device configurations. With this update, the product and vendor regular
expressions have been set more strict so that all multipath devices can now be properly
configured.
All users of device-mapper-multipath are advised to upgrade to these updated packages, which fix
this bug.
4 .4 5. DeviceKit -power
4 .4 5.1. RHEA-2011:1276 — DeviceKit -power enhancement updat e
91
Updated D eviceKit-power packages that add two enhancements are now available for Red Hat
Enterprise Linux 6.
D eviceKit-power provides a daemon, API and command line tools for managing power devices
attached to the system.
Enhance m e nt s
B Z #6 25880
To allow administrators easily disable the suspend and hibernate actions on the system,
D eviceKit-power now checks the PolicyKit authorization before deciding whether an action
can be completed.
B Z #72754 4
This update introduces a new sub-package D eviceKit-power-devel-docs, which contains
developer's documentation for D eviceKit-power, so that it is now possible to install the
D eviceKit-power-devel package on machines with multiple architectures without file
conflicts.
All users are advised to upgrade to these updated D eviceKit-power packages, which add these
enhancements.
4 .4 6. dhcp
4 .4 6.1. RHSA-2011:1819 — Moderat e: dhcp securit y updat e
Updated dhcp packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
The D ynamic Host Configuration Protocol (D HCP) is a protocol that allows individual devices on an
IP network to get their own network configuration information, including an IP address, a subnet
mask, and a broadcast address.
Secu rit y Fix
C VE- 2011- 4 539
A denial of service flaw was found in the way the dhcpd daemon handled D HCP request
packets when regular expression matching was used in " /etc/dhcp/dhcpd.conf" . A remote
attacker could use this flaw to crash dhcpd.
Users of D HCP should upgrade to these updated packages, which contain a backported patch to
correct this issue. After installing this update, all D HCP servers will be restarted automatically.
4 .4 6.2. RHBA-2011:1597 — dhcp bug fix and enhancement updat e
Updated dhcp packages that fix several bugs and add two enhancements are now available for Red
The D ynamic Host Configuration Protocol (D HCP) is a protocol that allows individual devices on an
IP network to get their own network configuration information, including an IP address, a subnet
mask, and a broadcast address. D HCPv6 is the D HCP protocol that supports IPv6 networks.
92
Bug Fixe s
B Z #6 9 4 79 8
Previously, when multiple D HCP clients were launched at the same time to handle multiple
virtual interfaces on the same network interface card (NIC), the clients used the same seed
to choose when to renew their leases. Consequently, these virtual interfaces for some clients
could have been removed over time. With this update, the dhclient utility uses the Process
Identifier (PID ) for seeding the random number generator, which fixes the bug.
B Z #6 9 4 79 9
If a system was rebooted while a network switch was inoperative, the network connection
would recover successfully. However, it was no longer configured to use D HCP even if the
dhclient utility had been running in persistent mode. With this update, the dhclient-script file
has been modified to refresh the ARP (Address Resolution Protocol) table and the routing
table instead of bringing the interface down, which fixes the bug.
B Z #7319 9 0
If the system included network interfaces with no hardware address, the dhcpd scan could
have experienced a segmentation fault when scanning such an interface. As a
consequence, the dhcpd daemon unexpectedly terminated. To prevent this issue, dhcpd
now tests a pointer which represents the hardware address of the interface for the NULL
value. The dhcp daemon no longer crashes.
B Z #736 9 9 9
Previously, all source files were compiled with the " -fpie" or " fPIE" flag. As a consequence,
the libraries used by dhcp could not have been used to build Perl modules. To fix this
problem, all respective dhcp Makefiles have been modified to compile libraries with the " fpic" or " -fPIC" flag. The libraries used by dhcp are now built without the previous
restrictions.
B Z #736 19 4
Previously, both dhcp and dhclient packages included the dhcp-options(5) and dhcpeval(5) man pages. As a consequence, a conflict could have occurred when any of these
man pages were updated, because dhcp and dhclient packages could have been
upgraded separately. To prevent the problem from occurring in future updates, shared files
of dhcp and dhclient packages have been moved to the dhcp-common package that is
required by both dhcp and dhclient as a dependency.
Enhance m e nt s
B Z #706 9 74
A feature has been backported from dhcp version 4.2.0. This feature allows the D HCPv6
server to be configured to identify D HCPv6 clients in accordance with their link-layer
address and their network hardware type. With this update, it is now possible to define a
static IPv6 address for the D HCPv6 client with a known link-layer address.
B Z #6 9 3381
Previously, the dhcpd daemon ran as root. With this update, new " -user" and " -group"
options can be used with dhcpd. These options allow dhcpd to change the effective user
and group ID after it starts. The dhcpd and dhcpd6 services now run the dhcpd daemon
93
with the " -user dhcpd -group dhcpd" parameters, which means that the dhcpd daemon
runs as the dhcpd user and group instead root.
Users are advised to upgrade to these updated dhcp packages, which fixes these bugs and add
these enhancements.
4 .4 7. dmidecode
4 .4 7.1. RHEA-2011:1555 — dmidecode bug fix and enhancement updat e
An updated dmidecode package that fixes one bug and adds one enhancement is now available for
The dmidecode package provides utilities for extracting x86 and Intel Itanium hardware information
from the system BIOS or EFI (Extensible Firmware Interface), depending on the SMBIOS/D MI
standard. This information typically includes system manufacturer, model name, serial number, BIOS
version, and asset tag as well as other details, depending on the manufacturer. This often includes
usage status for the CPU sockets, expansion slots such as AGP, PCI and ISA, among others,
memory module slots, and many different kinds of I/O ports, such as serial, parallel and USB.
Prior to this update, the extended records for the D MI types Memory D evice (D MI type 17) and Memory
Array Mapped Address (D MI type 19) were missing from the dmidecode utility output. With this
update, dmidecode has been upgraded to upstream version 2.11, which updates support for the
SMBIOS specification to version 2.7.1, thus fixing this bug. Now, the dmidecode output contains the
extended records for D MI type 17 and D MI type 19. (BZ #654833)
All users of dmidecode are advised to upgrade to this updated package, which fixes this bug and
adds this enhancement.
4 .4 8. dnsmasq
4 .4 8.1. RHBA-2011:174 6 — dnsmasq bug fix updat e
An updated dnsmasq package that addresses two bugs is now available for Red Hat Enterprise
Linux 6.
D nsmasq is a lightweight and easy-to-configure D NS forwarder and D HCP server.
B u g Fixes
B Z #584 009
Three changes were made to /etc/init.d/dnsmasq, the dnsmasq startup script:
If dnsmasq was started or restarted by a non-privileged user, the startup script
previously failed silently. With this update, the dnsmasq startup script now exits with a
status code of 4 (user had insufficient privilege) and returns a " User has insufficient
privilege" error to STD OUT when started or restarted by a non-privileged user.
A " force-reload" option was added: The " service force-reload dnsmasq" command now
forces dnsmasq to reload. Previously, it did nothing.
If /etc/init.d/dnsmasq passed an invalid argument, previously the startup script exited
with a status code of 1 (generic or unspecified error). With this update, the startup script
now exits correctly, returning a status code of 2 (invalid or excess argument) in such a
circumstance.
94
B Z #704 073
If the virtual bridge interface (virbr0) was up and dnsmasq was started by default, dnsmasq
could, in some circumstances, write a " D HCP packet received on eth(x) which has no
address" message to /var/log/messages. Note: this message was not in error. The message
was written if an actual interface (eg eth1) was up; did not have a configured IP address (eg
was slaved to a logical bonded interface); and was in the same LAN as another host which
generated a D HCP request. The message had little-to-no utility, however: it presented a
warning where none was needed. With this update, this message is no longer written to
/var/log/messages in these, and equivalent, circumstances.
All dnsmasq users should install this update which makes these changes.
4 .4 9. dosfst ools
4 .4 9.1. RHBA-2011:1552 — dosfst ools bug fix updat e
An updated dosfstools package that fixes various bugs is now available for Red Hat Enterprise Linux
6.
The dosfstools package contains a set of tools for creating and maintaining FAT-type file systems. It
includes the mkdosfs and dosfsck utilities, which make and check MS-D OS FAT file systems on hard
drives and floppy disks.
Bug Fixe s
B Z #6 24 59 6
Previously, when the dosfsck and the dosfslabel utilities were executed on the IBM System z
architecture using a FAT32 file system, they terminated with this error message: " Logical
sector size is zero" . This was caused by unaligned fields which were first byte-wise copied.
With this fix, the fields are not pre-copied any more, but are accessed the same way as on
the i686 architecture.
B Z #6 77789
The fsck.vfat utility terminated due to buffer overflow. This occurred when checking a device
with the corrupted VFAT file system if there were any chains of orphaned clusters. The name
of the newly created file that contained these clusters was printed directly into the name
field, which led to an out of boundary write. The name is now printed into the buffer and
individual parts are then correctly copied into the appropriate field.
B Z #6 88128
The dosfslabel utility displayed an error message when labeling the FAT32 file system due
to some of its internal structures being initialized incorrectly. The dosfslabel utility now
reads the FAT file system first, which fixes the problem.
B Z #709 26 6
The mkfs.vfat utility did not correctly detect device partitions on RAID devices. As a
consequence, formatting failed with an error message. This was caused by an invalid mask
for the statbuf.st_rdev variable. The mask has been fixed to be at least four bytes long and
the problem no longer occurs.
All users of dosfstools are advised to upgrade to this updated package, which resolves these bugs.
95
4 .50. doxygen
4 .50.1. RHBA-2011:1174 — doxygen bug fix updat e
Updated doxygen packages that fix one bug are now available for Red Hat Enterprise Linux 6.
D oxygen can generate an online class browser in HTML and/or a reference manual in LaTeX from a
set of documented source files. The documentation is extracted directly from the sources.
Bug Fix
B Z #6 9 0076
Prior to this update, D oxygen required invalid BuildRequires on the qt-devel package. With
this update, packages with BuildRequires dependencies on the qt-devel package have
been fixed. Now, these packages explicitly require qt4-devel.
All users of D oxygen are advised to upgrade to these updated packages, which fix this bug.
4 .51. dracut
4 .51.1. RHBA-2012:1319 — dracut bug fix updat e
Updated dracut packages that fix a bug are now available for Red Hat Enterprise Linux 6 Extended
Update Support.
The dracut packages include an event-driven initramfs generator infrastructure based on the udev
device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and
initializes the system, so it can read and boot from the root partition.
B u g Fix
B Z #86 0350
If the " /boot/" directory was not on a separate file system, dracut called the sha512hmac
utility with a file name prefixed with " /sysroot/boot" . Consequently, sha512mac searched for
the file checksum in " /boot/" , returned errors, and dracut considered the FIPS check to have
failed. Eventually, a kernel panic occurred. With this update, dracut uses a symlink linking
" /boot" to " /sysroot/boot" , sha512mac can now access files in " /boot/" , and FIPS checks
now pass, allowing the system to boot properly in the described scenario.
All users of dracut are advised to upgrade to these updated packages, which fix this bug.
4 .51.2. RHBA-2011:1521 — dracut bug fix and enhancement updat e
Updated dracut packages that fix multiple bugs and add various enhancements are now available for
The dracut packages include an event-driven initramfs generator infrastructure based on udev. The
virtual file system, initramfs, is loaded together with the kernel at boot time and initializes the system,
so it can read and boot from the root partition.
B u g Fixes
96
B Z #6 59 076
Previously, dracut incorrectly displayed that it loaded SELinux even if SELinux was
disabled in the config file and " selinux=0" was not specified on the kernel command line. As
a consequence, an error message could confuse the user when booting the system. With
this update, the dracut utility is modified and the error message no longer appears.
B Z #6 9 6 9 80
D ue to an error in the dracut module script, the system could fail to find the root volume if a
static IP address was specified. As a consequence, the system did not boot. With this
update, the error is corrected, and the system is able to boot with a static IP address.
B Z #6 9 816 0
When mounting the root device over the NFS (Network File System) protocol, the
/var/lib/rpcbind directory created by initramfs was world-writable. The dracut tool has been
modified to generate initramfs which now sets the ownership to the rpc user and the group.
B Z #6 9 816 5
When auto-assembling an md RAID device, initramfs used an invalid parameter when
calling the mdadm tool. This prevented the system from booting if the root device was on the
RAID device. The invalid parameter has been removed and the system now boots properly.
B Z #6 9 8215
When auto-assembling an md RAID device, an error in the mdraid_start.sh script prevented
the system from booting if the root device was on the RAID device. The error in the script
has been fixed and the system now boots correctly.
B Z #701309
Prior to this update, the /var/lib/nfs/prc_pipefs partition could not be accessed on system
boot. The problem occurred when booting the system with NFS set as the root partition with
at least one separate /var partition. This was caused by initramfs mounting the /var partition
over the existing rpc_pipefs partition. The initramfs file system now mounts entries in
/etc/fstab.sys, which fixes the problem.
B Z #7076 09
The dm-mod and dm-crypt kernel modules were missing from the list of kernel modules,
which are pre-loaded for the FIPS-140 check. These modules have been added to the list
with this update.
B Z #712254
When loading SELinux from inside initramfs, the output of the SELinux commands could be
garbled if the user used non-Latin locales. The initramfs file system has been modified to
turn off localization for the SElinux commands, which results in readable messages.
B Z #737134
The QLogic qla4xxx iSCSI driver and the iSCSI (Internet Small Computer System Interface)
transport layer now support iSCSI boot from Storage Area Network (SAN) using the
iscsistart. With this update, dracut is modified to support these changes.
B Z #73759 3
97
If the user installed a system with rootfs on a RAID device where RAID members were
encrypted, dracut failed to assemble the RAID device on reboot. As a consequence, the
system did not boot. A patch has been applied to address this issue, and the RAID device is
now assembled on every boot so that the system boots successfully.
B Z #74 14 30
When applying SELinux labels for /dev in initramfs, the restorecon tool did not alter the
MCS/MLS label only types. To fix this problem, the " -F" option has been added to all calls
of restorecon.
B Z #74 29 20
Prior to this update, the boot process timed out for network settings with D HCP involved. A
patch has been applied to extend the timeout interval if D HCP is involved, which fixes the
problem.
En h an cemen t s
B Z #70186 4
This update adds support for iSCSI (Internet Small Computer System Interface) partial
offload functionality for certain Broadcom network devices.
B Z #74 04 87
This update adds the dracut-fips-aesni subpackage. Note that the package should be
installed when using the aesni-intel module in FIPS mode.
B Z #72354 8
This update adds support for Logical Volume Management (LVM) mirror devices to serve as
root devices. Additionally degraded mirrors are used after a certain timeout if the other half
cannot be found at booting time.
B Z #729 573
This update adds support for configuring an interface with automatic IPv6 and D HCP over
IPv4 by using the " ip=[interface]:dhcp,auto6" command line parameter.
B Z #736 09 4
With this update, the Broadcom FCoE (Fibre Channel over Ethernet) offload driver is now
supported.
Users of dracut are advised to upgrade to these updated packages, which fix these bugs and add
these enhancements.
4 .51.3. RHBA-2012:0331 — dracut bug fix updat e
Updated dracut packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The dracut packages include an event-driven initramfs generator infrastructure based on the udev
device manager. The virtual file system, initramfs, is loaded together with the kernel at boot time and
initializes the system, so it can read and boot from the root partition.
Bug Fixe s
B Z #79 09 4 3
98
When sourcing dracut modules, dracut did not check whether the " install" script for the
module exists and is executable. Therefore, if the script was missing, an attempt to execute
the script failed. As a consequence, dracut did not execute the " installkernel" script, and the
module was not included in the initramfs image. This problem has been fixed, dracut now
performs the check and only executes the " install" script when it exists. Then, the
" installkernel" script is correctly executed and the module is installed in the initramfs image.
B Z #79 1128
Previously, dracut did not correctly handle a situation when booting a system with a
degraded RAID array. In such a case, the initial RAM disk image (initramfs) was not able to
start the array and the system did not boot. With this update, the initramfs forces the array to
start and the system now boots as expected.
All users of dracut are advised to upgrade to these updated packages, which fix these bugs.
4 .52. dump
4 .52.1. RHBA-2011:1095 — dump bug fix updat e
Updated dump packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The dump package contains both " dump" and " restore" commands. The " dump" command
examines files in a file system, determines which ones need to be backed up, and copies those files to
a specified disk, tape, or other storage medium. The " restore" command performs the inverse function
of " dump" ; it can restore a full backup of a file system. Subsequent incremental backups can then be
layered on top of the full backup. Single files and directory subtrees may also be restored from full or
partial backups.
Bug Fixe s
B Z #70259 3
Prior to this update, the dump utility passed wrong arguments to the " clone(2)" system call.
As a result, dump became unresponsive when executed on the S/390 or IBM System z
architecture. This bug has been fixed in this update so that dump now passes correct
arguments and no longer hangs.
B Z #6 9 14 34
Under certain circumstances, the dump utility could have failed to detect holes in files
correctly. When a user attempted to restore an erroneous backup using the " restore"
command, an error message " Missing blocks at end of [path], assuming hole" could have
been displayed. In such case, the backup could have not been restored properly. This bug
has been fixed in this update so that dump now handles holes in files as expected.
B Z #6 5889 0
Prior to this update, the " dump -w" command did not recognize ext4 file systems as
supported. With this update, the bug has been fixed so that " dump -w" now recognizes the
ext4 file systems as supported.
All users of dump should upgrade to these updated packages, which fix these bugs.
4 .53. e2fsprogs
99
4 .53.1. RHBA-2011:1735 — e2fsprogs bug fix and enhancement updat e
Updated e2fsprogs packages that fix several bugs and add two enhancements are now available for
The e2fsprogs packages contain a number of utilities that create, check, modify, and correct
inconsistencies in ext2, ext3, and ext4 file systems. This includes e2fsck (which repairs file system
inconsistencies after an unclean shutdown), mke2fs (which initializes a partition to contain an empty
file system), tune2fs (which modifies file system parameters), and most of the other core file system
utilities.
Bug Fixe s
B Z #6 76 4 6 5
Running the " e2fsck" command on certain corrupted file systems failed to correct all errors
during the first run. This occurred when a file had its xattr block cloned as a duplicate, but
the block was later removed from the file because the file system did not contain the xattr
feature. However, the block was not cleared from the block bitmaps. D uring the second run,
e2fsck found the cloned xattr block as in use, but not owned by any file, and had to repair
the block bitmaps. With this update, the processing of duplicate xattr blocks is skipped on
non-xattr file systems. All problems are now discovered during the first run.
B Z #6 79 9 31
On certain devices with very large physical sector size, the mke2fs utility set the block size
to be as large as the size of the physical sector. In some cases, the size of the physical
sector was larger than the page size. As a consequence, the file system could not be
mounted and, in rare cases, the utility could even fail. With this update, the default block
size is not set to be larger than the system's page size, even for large physical sector
devices.
B Z #6 839 06
Previously, multiple manual pages contained typos. These typos have been corrected with
this update.
B Z #7134 75
This update modifies parameters of the " mke2fs" command to be consistent with the
" discard" and " nodiscard" mount options for all system tools (like mount, fsck, or mkfs).
The user is now also informed about the ongoing discard process.
B Z #730083
Previously, the libcomm_err libraries were built without the read-only relocation (RELRO)
flag. Programs built against these libraries could be vulnerable to various attacks based
on overwriting the ELF section of a program. To enhance the security, the e2fsprogs
package is now provided with partial RELRO support.
Enhance m e nt s
B Z #6 79 89 2
Previously, the tune2fs tool could not set " barrier=0" as the default option on the ext3 and
ext4 file systems. With this update, users are now able to set this option when creating the
file system, and do not have to maintain the option in the /etc/fstab file across all of the file
systems and servers.
100
B Z #7134 6 8
Previously, raw e2image output files could be extremely large sparse files, which were
difficult to copy, archive, and transport. This update adds support for exporting images in
the qcow format. Images in this format are small and easy to manipulate.
Users are advised to upgrade to these updated e2fsprogs packages, which fix these bugs and add
these enhancements.
4 .54 . emacs
4 .54 .1. RHBA-2012:004 2 — emacs bug fix updat e
Updated emacs packages that fix one bug are now available for Red Hat Enterprise Linux 6.
GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing
features, a scripting language (elisp), and the capability to read email and news.
Bug Fix
B Z #76 9 6 73
Emacs did not properly terminate if it was started remotely and the remote client session was
closed while Emacs was suspended. Under these conditions, Emacs entered an infinite
loop in the code and gradually consumed all available computer resources, which caused
the system to become unstable. With this update, Emacs has been modified, and it now
terminates correctly when the remote session is closed.
All users of emacs are advised to upgrade to these updated packages, which fix this bug.
4 .54 .2. RHBA-2012:034 8 — emacs bug fix updat e
Updated emacs packages that fix one bug are now available for Red Hat Enterprise Linux 6.
GNU Emacs is a powerful, customizable, self-documenting text editor. It provides special code editing
features, a scripting language (elisp), and the capability to read e-mail and news.
Bug Fix
B Z #79 6 053
In ispell mode, Emacs used the spell checkers in the following order: Ispell, Aspell, and
Hunspell. However, Ispell is no longer available and Aspell does not have any dictionaries
installed by default. Consequently, because Emacs found Aspell before the default
Hunspell, the spell check failed and Emacs reported the following error message:
ispell-init-process: Error: No word lists can be found for the
language "en_US".
With this update, Emacs has been modified to look for the spell checkers in the following
order: Hunspell, Aspell, and Ispell. This ensures that Hunspell is used by default when it is
available.
All users of emacs are advised to upgrade to these updated packages, which fix this bug.
101
4 .55. esc
4 .55.1. RHBA-2011:1718 — esc bug fix updat e
An updated esc package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
The esc package contains the Smart Card Manager GUI (Graphical User Interface), which allows the
user to manage security smart cards. The primary function of the tool is to enroll smart cards, so that
they can be used for common cryptographic operations, such as secure email and website access.
Bug Fixe s
B Z #253077
If the user resized an ESC window and closed it, the window did not preserve its size when
opening it again. If the user wanted the window to be larger, for example, to make it easier to
read, the user had to resize the window every single time when it was opened again. A
patch has been applied to address this issue and the previous window size is now restored
when opening ESC.
B Z #6 82216
Previously, during the shut down sequence of the escd daemon, the daemon reported a
failure of certain instances. ESC terminated unexpectedly with a segmentation fault as a
consequence. This update modifies the daemon to exit quietly. As a result, ESC no longer
terminates unexpectedly.
B Z #7026 83
The esc-prefs.js file contains helpful commented settings designed to assist the user in
trying rarely used settings if the situation warrants. A number of these settings in the file
contained typos. The typos have been corrected with this update.
B Z #704 281
Previously, ESC could have terminated with a segmentation fault after the user had inserted
a new smart card into the reader. This was due to a bug in the code which helped to bring a
pop-up window to the foreground. The code is no longer needed to assure window focus,
therefore it is no longer being executed. As a result, ESC no longer terminates in the
scenario described.
All users of esc are advised to upgrade to this updated package, which fixes these bugs.
4 .55.2. RHBA-2012:04 72 — esc bug fix updat e
An updated esc package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The esc packages contain the Smart Card Manager GUI, which allows user to manage security smart
cards. The primary function of the tool is to enroll smart cards, so that they can be used for common
cryptographic operations, such as secure e-mail and website access.
Bug Fixe s
B Z #80726 4
102
The ESC utility did not start when the latest 10 series release of the XULRunner runtime
environment was installed on the system. This update includes necessary changes to
ensure that ESC works as expected with the latest version of XULRunner.
B Z #807806
After removing and replacing an enrolled token, ESC could terminate unexpectedly followed
by a traceback. A patch has been applied to address this issue and ESC now displays the
enrolled smart card details as expected.
All users of esc are advised to upgrade to these updated packages, which fix these bugs.
4 .56. expat
4 .56.1. RHSA-2012:0731 — Moderat e: expat securit y updat e
Updated expat packages that fix two security issues are now available for Red Hat Enterprise Linux 5
and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact.
Expat is a C library written by James Clark for parsing XML documents.
Secu rit y Fixes
C VE- 2012- 0876
A denial of service flaw was found in the implementation of hash arrays in Expat. An
attacker could use this flaw to make an application using Expat consume an excessive
amount of CPU time by providing a specially-crafted XML file that triggers multiple hash
function collisions. To mitigate this issue, randomization has been added to the hash
function to reduce the chance of an attacker successfully causing intentional collisions.
C VE- 2012- 114 8
A memory leak flaw was found in Expat. If an XML file processed by an application linked
against Expat triggered a memory re-allocation failure, Expat failed to free the previously
allocated memory. This could cause the application to exit unexpectedly or crash when all
available memory is exhausted.
All Expat users should upgrade to these updated packages, which contain backported patches to
correct these issues. After installing the updated packages, applications using the Expat library must
be restarted for the update to take effect.
4 .57. fcoe-ut ils
4 .57.1. RHBA-2011:1607 — fcoe-ut ils bug fix and enhancement updat e
An updated fcoe-utils package that fixes several bugs and adds various enhancements is now
The fcoe-utils package provides Fibre Channel over Ethernet (FCoE) utilities, such as the fcoeadm
command line tool for configuring FCoE interfaces, and the fcoemon service to configure D CB
Ethernet QOS filters.
103
The fcoe-utils package has been upgraded to upstream version 1.0.20, which provides a number of
Bug Fixe s
B Z #6 39 4 6 6
When stopping the fcoe service, the fcoe initscript did not properly clean up after itself as
expected (did not remove FCoE devices, kill related processes and unload FCoE drivers).
As a consequence, FCoE interfaces were not brought down and FCoE related threads were
still running after the fcoe had been stopped. The " service fcoe stop" command is used to
ensure safe after-update service restarts on FCoE dependent systems, therefore it cannot be
used to remove FCoE devices and unload related kernel modules. Concerning this
situation, the initscript has been modified to use the " stop force" command option to
completely remove FCoE devices and unload related kernel modules. The fcoe service now
should be stopped using the " service fcoe stop force" command.
B Z #7324 85
When removing a network interface with no fcoe port using the " fcoeadm -d" command, the
fcoe port state machine set the removal operation incorrectly to wait without responding to
fcoemon. This led to an internal error because fcoemon timed out waiting for the response.
To resolve the problem, the code has been modified to return the code for no further action
under these circumstances. The " fcoeadm -d" command now works for interfaces without
the fcoe port as expected.
B Z #7324 85
The fcoemon service did not maintain any information about the relative state of a physical
network interface and its dependent VLAN interfaces. As a consequence, the fcoe port of the
VLAN interface could have been out of sync with the fcoe port of the physical device,
resulting in undesired behavior, such as processing link events improperly. To fix this
problem, a ready flag has been introduced. This flag is set to false when the physical port is
disabled. Link events are now processed correctly for the vlan ports.
B Z #7324 85
When answering to an FCoE Initialization Protocol (FIP) VLAN D iscovery request, some
switches encapsulate FIP VLAN D iscovery replies in a VLAN 0 tag which is wrapped around
the packet's FIP frame header. Previously, when a packet containing such a reply reached
a target network interface, some devices did not remove the VLAN tag before they started to
process the FIP header. If the VLAN tag was not removed, the length of the processed
header was larger than was expected, therefore the FIP parsing logic was not able to parse
the FIP header correctly causing a loss of the packet. With this update, the parsing logic
has been modified to skip over the VLAN header when necessary, and point to the correct
start of the FIP header.
B Z #74 36 89
The timeout for a kernel reply to fcoeadm operations was set to 5 seconds, which was not
enough when processing an fcoeadm operation on a system with a large number of FCoE
ports while a kernel was under heavy load. As a consequence, the " internal error" message
was displayed even though the operation was finished successfully. To prevent this bug,
the timeout for the kernel reply was increased to 30 seconds. No error message is now sent
when an fcoeadm operation succeeds.
All users of fcoe-utils are advised to upgrade to this updated package, which fixes these bugs and
104
4 .58. fence-agent s
4 .58.1. RHBA-2011:1599 — fence-agent s bug fix and enhancement updat e
An updated fence-agents package that fixes various bugs and adds several enhancements is now
Red Hat fence agents are a collection of scripts to handle remote power management for cluster
devices. They allow failed or unreachable cluster nodes to be forcibly restarted and removed from the
cluster.
The fence-agents package has been upgraded to upstream version 3.1.5, which provides a number
Bug Fixe s
B Z #73116 6
D ue to a change in REST API, the fence_rhevm utility incorrectly reported status " UP" as
" RUNNING" . Consequently, the " fence_rhevm -o status" command always reported " OFF" .
This bug has been fixed, and fence_rhevm now reports status correctly.
B Z #7189 24
The fence_drac5 agent failed to clear its SSH sessions on exit as expected by firmware.
Consequently, the fence agent appeared to be still connected to the device, and once the
connection limit was reached, further logins to the device were not allowed. This bug has
been fixed, and fence_drac5 now clears its SSH sessions properly.
B Z #6 9 34 28
The " monitor" and " status" commands of the fence_ipmilan agent returned chassis status
instead of the fence device status. As a result, when a server chassis was powered off, the
fence_ipmilan agent exited with the incorrect result code " 2" when passed one of these
commands. Now, fence_ipmilan returns the correct result code " 0" in the described
scenario.
B Z #708052
When a blade server was removed from a blade chassis and was fenced via the
fence_bladecenter utility with the " --missing-as-off" option enabled, and was scheduled
with the " reboot" action, the fence failed. This bug has been fixed, and fence_bladecenter
no longer returns an error if a blade server is missing.
B Z #71819 6
A list operation on fence_drac5 agents resulted in unexpected termination of fence agents.
A patch has been provided to address this issue, and fence_drac5 agents now work
correctly in the described scenario.
B Z #718207
When the pyOpenSSL package was not present in the system, when an error occurred, the
fence_ilo agent terminated with a generic error message, making it difficult to debug the
problem. Now, fence_ilo reports that a dependent package is missing in the described
scenario, thus fixing this bug.
B Z #732372
105
The verbose mode of the fence_ipmilan agent exposed user passwords when the whole
command was logged by an IPMI tool. Now, the fence_ipmilan output has been changed,
and passwords remain undisclosed in the described scenario.
B Z #738384
D uring simultaneous unfencing operations performed via the fence_scsi agent, all nodes
launched their reservation commands at the same time. Consequently, some of the
commands failed. Now, fence_scsi retries to unfence a node until its reservation command
succeeds.
B Z #734 4 29
A null dereference was discovered in the fence_kdump agent, when the strchr() function
returned the NULL value. With this update, the dereference has been fixed in the code and
no longer occurs.
Enhance m e nt s
B Z #6 24 6 73
With this update, the new fence_vmware_soap() function has been provided to enable
fencing of VMware guests in ESX environments.
B Z #4 6 19 4 8
The fence_kdump utility has been updated to integrate fencing with the kernel dump
environment.
B Z #6 9 836 5
With this update, the RelaxNG schema generation for fence-agents has been updated with
the rha:description and rha:name attributes in its output to fence attribute group elements.
B Z #726 571
The fence_ipmilan agent has been updated to support the -L option of the ipmilan daemon,
thus supporting fencing with user session privileges level.
Users of fence-agents are advised to upgrade to this updated package, which fixes these bugs and
4 .58.2. RHBA-2012:0353 — fence-agent s bug fix updat e
An updated fence-agents package that fixes one bug is now available for Red Hat Enterprise Linux 6.
Red Hat fence agents are a collection of scripts to handle remote power management for several
devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the
cluster.
Bug Fix
B Z #785816
The fence_rhevm fencing agent uses the Red Hat Enterprise Virtualization API to check the
power status (" on" or " off" ) of a virtual machine. In addition to the states of " up" and
" down" , the API includes other states like " unassigned" , " powering_up" , " paused" ,
" migrating" , " unknown" , " not_responding" , " wait_for_launch" , " reboot_in_progress" ,
106
" saving_state" , " restoring_state" , " suspended" , " image_illegal" , " image_locked" or
" powering_down" . Previously, only if the machine was in the " up" state, the " on" power
status was returned. The " off" status was returned for all other states although the machine
was actually running. This allowed for successful fencing even before the machine was
really powered off. With this update, the fence_rhevm agent detects power status of a cluster
node more conservatively, and the " off" status is returned only if the machine is really
powered off, it means in the " off" state.
All users of fence-agents are advised to upgrade to this updated package, which fixes this bug.
4 .58.3. RHBA-2012:04 83 — fence-agent s bug fix updat e
Updated fence-agents packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Red Hat fence agents are a collection of scripts to handle remote power management for cluster
cluster.
Bug Fix
B Z #811873
Previously, the fence_vmware_soap fence agent did not expose the full path to a virtual
machine that is required for fencing. With this update, fence_vmware_soap has been
modified to support identification of virtual machines as expected.
All users of fence-agents are advised to upgrade to these updated packages, which fix this bug.
4 .58.4 . RHBA-2012:054 8 — fence-agent s bug fix updat e
Updated fence-agents packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Red Hat fence agents are a collection of scripts for handling remote power management for cluster
cluster.
Bug Fix
B Z #814 84 3
Previously, fencing a Red Hat Enterprise Linux cluster node with the fence_soap_vmware
fence agent running in a virtual machine on VMWare could fail with the following error
message:
KeyError: 'config.uuid'
This was because the fence agent was not able to work with more than one hundred
machines in a cluster. With this update, the underlying source code has been modified to
support fencing of such clusters.
All users of fence-agents are advised to upgrade to these updated packages, which fix this bug.
4 .58.5. RHBA-2013:14 07 — fence-agent s bug fix updat e
Updated fence-agents packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
107
Red Hat fence agents are a collection of scripts for handling remote power management for cluster
cluster.
B u g Fix
B Z #1012574
Prior to this update, the fence agent for IPMI (Intelligent Platform Management Interface)
could return an invalid return code when the " -M cycle" option was used. This invalid return
code could cause invalid interpretation of success of a fence action, eventually causing the
cluster to become unresponsive. This bug has been fixed and only predefined return codes
are now returned in the described scenario.
Users of fence-agents are advised to upgrade to these updated packages, which fix this bug.
4 .59. fence-virt
4 .59.1. RHBA-2011:1566 — fence-virt bug fix and enhancement updat e
Updated fence-virt packages that fix two bugs and add one enhancement are now available for Red
The fence-virt packages provide a fencing agent for virtual machines as well as a host agent which
processes fencing requests.
Bug Fixe s
B Z #719 6 4 5
Prior to this update, the domain parameter was missing from the metadata. As a
consequence, existing configurations utilizing the domain parameter did not function
correctly when fencing. This update adds the domain parameter for compatibility. Now,
existing configurations work as expected.
B Z #72076 7
Prior to this update, hash mismatches falsely returned successes for fencing. As a
consequence, data corruption could occur in live-hang scenarios. This update corrects the
hash handling of mismatches. Now, no more false successes are returned and the data
integrity is preserved.
Enhance m e nt
B Z #6 9 1200
With this update, the libvirt-qpid plugin now operates using QMF version 2.
All users of fence-virt are advised to upgrade to these updated packages, which fix these bugs and
4 .59.2. RHBA-2012:04 85 — fence-virt bug fix updat e
Updated fence-virt packages that fix one bug are now available for Red Hat Enterprise Linux 6.
108
The fence-virt packages provide a fencing agent for virtual machines as well as a host agent which
processes fencing requests.
Bug Fix
B Z #807270
Previously, the libvirt-qpid plug-in was linked directly against Qpid libraries instead of
being linked only against QMFv2 libraries. As a consequence, newer versions of Qpid
libraries could not be used with the libvirt-qpid plug-in. This update modifies the
appropriate makefile so that libvirt-qpid is no longer linked directly against the Qpid
libraries. The libvirt-qpid plug-in does not have to be re-linked to work with the newer Qpid
libraries.
All users of fence-virt are advised to upgrade to these updated packages, which fix this bug.
4 .60. file
4 .60.1. RHBA-2011:0934 — file bug fix updat e
Updated file packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The file command is used to identify a particular file according to the type of data contained in the
file.
[Updated 7 September 2011] This update fixes a bug in which the file utility did not parse ELF
(Executable and Linkable Format) binary files correctly. If an entry in the program header table
contained a file offset beyond the end of file, dynamically linked files were reported as being linked
statically. The file utility now recognizes files in the described scenario correctly. (BZ #730336)
Bug Fixe s
B Z #6 76 04 5, B Z #7129 9 2, B Z #7129 88
Prior to this update, the file utility could have been unable to recognize RPM files for certain
supported architectures. This update improves the file type recognition, and the RPM files
for all supported architectures are now correctly identified as expected.
B Z #6 88700
Prior to this update, the file utility did not correctly recognized the IBM System z kernel
images. This problem has been corrected so that the IBM System z kernel images are now
correctly recognized as expected.
B Z #6 9 209 8
Prior to this update, the file utility attempted to show information related to core dumps for
binary files that were not core dumps. This undesired behavior has been fixed in this
update so that information related to core dumps is showed only for core dumps and not for
the binary files which are not core dumps.
B Z #6 756 9 1
Prior to this update, file patterns for LaTeX checked only the first 400 bytes of a file to
determine the pattern type. This caused an incorrect pattern type recognition as some files
could have contained a larger number of comments at the beginning of the file.
Furthermore, file patterns which matched a Python script were tried before the LaTeX
109
patterns and this undesired behavior could have caused an incorrect pattern type
recognition as LaTeX files could have included a source code written in Python. With this
update, the aforementioned problems have been fixed by increasing the number of first
bytes checked for a LaTeX file to 4096 bytes, and by trying the LaTeX patterns before the
Python patterns.
B Z #6 9 0801
Prior to this update, there were several spelling mistakes contained in the magic(5) manual
page. This update corrects the spelling mistakes in the respective manual page.
B Z #716 6 6 5
Prior to this update, the file utility treated MP3 files as text files, and therefore was unable to
recognize the MP3 files. This undesired behavior has been fixed in this update, and the file
utility now treats the MP3 files as binary files and is able to properly recognize them.
All users of file are advised to upgrade to these updated packages, which fix these bugs.
4 .61. filesyst em
4 .61.1. RHBA-2011:0966 — filesyst em bug fix updat e
An updated filesystem package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The filesystem package is one of the basic packages that is installed on a Red Hat Enterprise Linux
system. The filesystem package contains the basic directory layout for the Linux operating system,
including the correct permissions for directories.
Bug Fix
B Z #6 2006 3
Prior to this update, certain locale subdirectories in the /usr/share/locale/ directory did not
have any owner set. With this update, this bug has been fixed so that the filesystem
package now owns the subdirectories of the following locales: bg_BG (Bulgarian), en_NZ
(New Z ealand English), fi_FI (Finnish), gl_ES (Galician), lv_LV (Latvian), ms_MY
(Malaysian), sr_RS (Serbian), en@shaw (Shavian), zh_CN.GB2312 (Chinese Simplified),
sr@ijekavian (Serbian Jekavian), and sr@ijekavianlatin (Serbian Jekavian Latin).
All users of filesystem are advised to upgrade to this updated package, which fixes this bug.
4 .62. fipscheck
4 .62.1. RHEA-2011:1733 — fipscheck enhancement updat e
Updated fipscheck packages that add one enhancement are now available for Red Hat Enterprise
Linux 6.
The fipscheck library is used to verify the integrity of modules validated under FIPS-140-2. The
fipscheck package provides helper binaries for creating and verifying HMAC-SHA256 checksum files.
Enhance m e nt
B Z #727277
110
Prior to this update, the fipscheck library was linked without support for read-only
relocations (RELRO) flags. The updated fipscheck packages are now provided with partial
RELRO support.
Users of fipscheck are advised to upgrade to these updated packages, which add this enhancement.
4 .63. firefox
4 .63.1. RHSA-2012:0079 — Crit ical: firefox securit y updat e
Updated firefox packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 4, 5, and 6.
The Red Hat Security Response Team has rated this update as having critical security impact.
Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment
for Mozilla Firefox.
Secu rit y Fixes
C VE- 2011- 36 59
A use-after-free flaw was found in the way Firefox removed nsD OMAttribute child nodes. In
certain circumstances, due to the premature notification of AttributeChildRemoved, a
malicious script could possibly use this flaw to cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
C VE- 2012- 04 4 2
Several flaws were found in the processing of malformed web content. A web page
containing malicious content could cause Firefox to crash or, potentially, execute arbitrary
code with the privileges of the user running Firefox.
C VE- 2012- 04 4 4
A flaw was found in the way Firefox parsed Ogg Vorbis media files. A web page containing
a malicious Ogg Vorbis media file could cause Firefox to crash or, potentially, execute
arbitrary code with the privileges of the user running Firefox.
C VE- 2012- 04 4 9
A flaw was found in the way Firefox parsed certain Scalable Vector Graphics (SVG) image
files that contained eXtensible Style Sheet Language Transformations (XSLT). A web page
containing a malicious SVG image file could cause Firefox to crash or, potentially, execute
C VE- 2011- 36 70
The same-origin policy in Firefox treated http://example.com and http://[example.com] as
interchangeable. A malicious script could possibly use this flaw to gain access to sensitive
information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be
included in HTTP proxy error replies, generated in response to invalid URLs using square
brackets.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 3.6.26:
111
http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.26
All Firefox users should upgrade to these updated packages, which contain Firefox version 3.6.26,
which corrects these issues. After installing the update, Firefox must be restarted for the changes to
take effect.
4 .63.2. RHSA-2012:0387 — Crit ical: firefox securit y and bug fix updat e
Updated firefox packages that fix multiple security issues and three bugs are now available for Red
Hat Enterprise Linux 5 and 6.
Mozilla Firefox is an open source web browser.
Secu rit y Fixes
C VE- 2012- 04 6 1, C VE- 2012- 04 6 2, C VE- 2012- 04 6 4
C VE- 2012- 04 56 , C VE- 2012- 04 57
Two flaws were found in the way Firefox parsed certain Scalable Vector Graphics (SVG)
image files. A web page containing a malicious SVG image file could cause an information
leak, or cause Firefox to crash or, potentially, execute arbitrary code with the privileges of
the user running Firefox.
C VE- 2012- 04 55
A flaw could allow a malicious site to bypass intended restrictions, possibly leading to a
cross-site scripting (XSS) attack if a user were tricked into dropping a " javascript:" link onto
a frame.
C VE- 2012- 04 58
It was found that the home page could be set to a " javascript:" link. If a user were tricked
into setting such a home page by dragging a link to the home button, it could cause Firefox
to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the
user running Firefox.
C VE- 2012- 04 59
A flaw was found in the way Firefox parsed certain web content containing " cssText" . A web
page containing malicious content could cause Firefox to crash or, potentially, execute
C VE- 2012- 04 6 0
It was found that by using the D OM fullscreen API, untrusted content could bypass the
mozRequestFullscreen security protections. A web page containing malicious web content
could exploit this API flaw to cause user interface spoofing.
C VE- 2012- 04 51
112
A flaw was found in the way Firefox handled pages with multiple Content Security Policy
(CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a
website that has a header injection flaw.
For technical details regarding these flaws, refer to the Mozilla security advisories for Firefox 10.0.3
ESR
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
Bug Fixe s
B Z #729 6 32
When using the Traditional Chinese locale (zh-TW), a segmentation fault sometimes
occurred when closing Firefox.
B Z #784 04 8
Inputting any text in the Web Console (Tools -> Web D eveloper -> Web Console) caused
Firefox to crash.
B Z #79 9 04 2
The java-1.6.0-ibm-plugin and java-1.6.0-sun-plugin packages require the
" /usr/lib/mozilla/plugins/" directory on 32-bit systems, and the " /usr/lib64/mozilla/plugins/"
directory on 64-bit systems. These directories are created by the xulrunner package;
however, they were missing from the xulrunner package provided by the RHEA-2012:0327
update. Therefore, upgrading to RHEA-2012:0327 removed those directories, causing
dependency errors when attempting to install the java-1.6.0-ibm-plugin or java-1.6.0-sunplugin package. With this update, xulrunner once again creates the plugins directory. This
issue did not affect users of Red Hat Enterprise Linux 6.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.3
ESR, which corrects these issues. After installing the update, Firefox must be restarted for the
changes to take effect.
4 .63.3. RHSA-2012:0515 — Crit ical: firefox securit y updat e
Linux 5 and 6.
Secu rit y Fixes
C VE- 2011- 306 2
A flaw was found in Sanitiser for OpenType (OTS), used by Firefox to help prevent potential
exploits in malformed OpenType fonts. A web page containing malicious content could
cause Firefox to crash or, under certain conditions, possibly execute arbitrary code with the
privileges of the user running Firefox.
C VE- 2012- 04 6 7, C VE- 2012- 04 6 8, C VE- 2012- 04 6 9
113
A web page containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
C VE- 2012- 04 70
A web page containing a malicious Scalable Vector Graphics (SVG) image file could cause
Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running
Firefox.
C VE- 2012- 04 72
A flaw was found in the way Firefox used its embedded Cairo library to render certain fonts.
A web page containing malicious content could cause Firefox to crash or, under certain
conditions, possibly execute arbitrary code with the privileges of the user running Firefox.
C VE- 2012- 04 78
A flaw was found in the way Firefox rendered certain images using WebGL. A web page
containing malicious content could cause Firefox to crash or, under certain conditions,
possibly execute arbitrary code with the privileges of the user running Firefox.
C VE- 2012- 04 71
A cross-site scripting (XSS) flaw was found in the way Firefox handled certain multibyte
character sets. A web page containing malicious content could cause Firefox to run
JavaScript code with the permissions of a different website.
C VE- 2012- 04 73
A flaw was found in the way Firefox rendered certain graphics using WebGL. A web page
containing malicious content could cause Firefox to crash.
C VE- 2012- 04 74
A flaw in Firefox allowed the address bar to display a different website than the one the user
was visiting. An attacker could use this flaw to conceal a malicious URL, possibly tricking a
user into believing they are viewing a trusted site, or allowing scripts to be loaded from the
attacker's site, possibly leading to cross-site scripting (XSS) attacks.
C VE- 2012- 04 77
A flaw was found in the way Firefox decoded the ISO-2022-KR and ISO-2022-CN character
sets. A web page containing malicious content could cause Firefox to run JavaScript code
with the permissions of a different website.
C VE- 2012- 04 79
A flaw was found in the way Firefox handled RSS and Atom feeds. Invalid RSS or Atom
content loaded over HTTPS caused Firefox to display the address of said content in the
location bar, but not the content in the main window. The previous content continued to be
displayed. An attacker could use this flaw to perform phishing attacks, or trick users into
thinking they are visiting the site reported by the location bar, when the page is actually
content controlled by an attacker.
ESR:
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges
114
Mateusz Jurczyk of the Google Security Team as the original reporter of CVE-2011-3062; Aki Helin
from OUSPG as the original reporter of CVE-2012-0469; Atte Kettunen from OUSPG as the original
reporter of CVE-2012-0470; wushi of team509 via iD efense as the original reporter of CVE-20120472; Ms2ger as the original reporter of CVE-2012-0478; Anne van Kesteren of Opera Software as the
original reporter of CVE-2012-0471; Matias Juntunen as the original reporter of CVE-2012-0473;
Jordi Chancel and Eddy Bordi, and Chris McGowen as the original reporters of CVE-2012-0474;
Masato Kinugawa as the original reporter of CVE-2012-0477; and Jeroen van der Gun as the original
reporter of CVE-2012-0479.
4 .63.4 . RHSA-2012:0710 — Crit ical: firefox securit y updat e
Linux 5 and 6.
Secu rit y Fixes
C VE- 2011- 3101, C VE- 2012- 19 37, C VE- 2012- 19 38, C VE- 2012- 19 39 , C VE- 2012- 19 4 0,
C VE- 2012- 19 4 1, C VE- 2012- 19 4 6 , C VE- 2012- 19 4 7
C VE- 2012- 19 4 4
Note: CVE-2011-3101 only affected users of certain NVID IA display drivers with graphics
cards that have hardware acceleration enabled.
It was found that the Content Security Policy (CSP) implementation in Firefox no longer
blocked Firefox inline event handlers. A remote attacker could use this flaw to possibly
bypass a web application's intended restrictions, if that application relied on CSP to protect
against flaws such as cross-site scripting (XSS).
C VE- 2012- 19 4 5
If a web server hosted HTML files that are stored on a Microsoft Windows share, or a Samba
share, loading such files with Firefox could result in Windows shortcut files (.lnk) in the
same share also being loaded. An attacker could use this flaw to view the contents of local
files and directories on the victim's system. This issue also affected users opening HTML
files from Microsoft Windows shares, or Samba shares, that are mounted on their systems.
ESR:
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges
Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris
Z barsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor
Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original
reporters of CVE-2012-1938; Christian Holler as the original reporter of CVE-2012-1939; security
115
researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and
CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security
researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul
Stone as the original reporter of CVE-2012-1945.
All Firefox users should upgrade to these updated packages, which contain Firefox version 10.0.5
ESR, which corrects these issues. After installing the update, Firefox must be restarted for the
changes to take effect.
4 .64 . first aidkit
4 .64 .1. RHBA-2011:1709 — first aidkit bug fix updat e
Updated firstaidkit packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
FirstAidKit is a tool that runs automated diagnostics of an installed system.
Bug Fixe s
B Z #6 6 4 876
Previously, FirstAidKit's GRUB plug-in incorrectly reported failure if GRUB was installed
into the Master Boot Record (MBR). D ue to the plug-in being unreliable, it has been
removed from the firstaidkit package.
B Z #73856 3
The firstaidkit-plugin-grub package has been removed from Red Hat Enterprise Linux 6.2.
As a consequence, in rare cases, the system upgrade operation may fail with unresolved
dependencies if the plug-in has been installed in a previous version of Red Hat Enterprise
Linux. To avoid this problem, the firstaidkit-plugin-grub package should be removed before
upgrading the system. However, in most cases, the system upgrade completes as expected.
All users of firstaidkit are advised to upgrade to these updated packages, which fix these bugs.
4 .65. first boot
4 .65.1. RHBA-2011:174 2 — first boot bug fix updat e
An updated firstboot package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The firstboot utility runs after installation and guides the user through a series of steps that allows for
easier configuration of the machine.
Bug Fixe s
B Z #700283
Previously, the Traditional Chinese translation (zh_TW) of the Forward button on the
welcome page was different from the action mentioned in the text, on the same page,
referring to this button. This update provides the corrected translation.
B Z #700305
Previously, when running firstboot in Japanese locale and the user attempted to continue
without setting up an account, an untranslated warning message appeared. With this
116
without setting up an account, an untranslated warning message appeared. With this
update, the message is properly translated into Japanese.
All users of firstboot are advised to upgrade to this updated package, which fixes these bugs.
4 .66. freet ype
4 .66.1. RHSA-2012:04 67 — Import ant : freet ype securit y updat e
Updated freetype packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 5 and 6.
FreeType is a free, high-quality, portable font engine that can open and manage font files. It also
loads, hints, and renders individual glyphs efficiently.
Secu rit y Fixes
C VE- 2012- 1134 , C VE- 2012- 1136 , C VE- 2012- 114 2, C VE- 2012- 114 4
Multiple flaws were found in the way FreeType handled TrueType Font (TTF), Glyph Bitmap
D istribution Format (BD F), Windows .fnt and .fon, and PostScript Type 1 fonts. If a
specially-crafted font file was loaded by an application linked against FreeType, it could
cause the application to crash or, potentially, execute arbitrary code with the privileges of
the user running the application.
C VE- 2012- 1126 , C VE- 2012- 1127, C VE- 2012- 1130, C VE- 2012- 1131, C VE- 2012- 1132,
C VE- 2012- 1137, C VE- 2012- 1139 , C VE- 2012- 114 0, C VE- 2012- 114 1, C VE- 2012- 114 3
Multiple flaws were found in the way FreeType handled fonts in various formats. If a
specially-crafted font file was loaded by an application linked against FreeType, it could
cause the application to crash.
Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting these issues.
Users are advised to upgrade to these updated packages, which contain a backported patch to
correct these issues. The X server must be restarted (log out, then log back in) for this update to take
effect.
4 .67. fuse
4 .67.1. RHBA-2011:1756 — fuse bug fix updat e
An updated fuse package that fixes one bug is now available in Red Hat Enterprise Linux 6.
The fuse package contains the file system in userspace utilities and libraries required for using fuse
file systems.
B u g Fix
B Z #723757
Prior to this update, fusermount used an incorrect path to unmount. As a result, fusermount
was unable to unmount mounted fuse file systems. This update, modifies fusermount to use
117
the correct mount path. Now, mounted fuse file systems can be successfully unmounted with
fusermount.
All users who use fuse file systems in their environment are advised to upgrade to this updated fuse
package, which fixes this bug.
4 .68. gcc
4 .68.1. RHBA-2011:164 4 — gcc bug fix and enhancement updat e
Updated gcc packages that fix various bugs and add three enhancements are now available for Red
The gcc packages include C, C++, Java, Fortran, Objective C, Objective C++, and Ada 95 GNU
compilers, along with related support libraries.
Bug Fixe s
B Z #6 9 6 352
The previous version of GCC incorrectly assumed that processors based on the AMD 's
multi-core architecture code named Bulldozer support the 3D Now! instruction set. This
update adapts the underlying source code to make sure that GCC no longer uses the
3D Now! instructions on these processors.
B Z #70576 4
On the PowerPC architecture, GCC previously passed the V2D Imode vector parameters
using the stack and returned them in integer registers, which does not comply with the
Application Binary Interface (ABI). This update corrects this error so that GCC now passes
these parameters using the AltiVec parameter registers and returns them via the AltiVec
return value register.
B Z #721376
Previously, GCC did not flush all pending register saves in a Frame D escription Entry
(FD E) before inline assembly instructions. This may have led to various problems when the
inline assembly code modified those registers. With this update, GCC has been adapted to
flush pending register saves in FD E before inline assembly instructions, resolving this
issue.
B Z #732802
Prior to this update, the gcov test coverage utility sometimes incorrectly counted even
opening brackets, which caused it to produce inaccurate statistics. This update applies a
patch that corrects this error so that gcov ignores such brackets, as expected.
B Z #732807
When processing source code that extensively used overloading (that is, with hundreds or
more overloads of the same function or method), the previous version of the C++ front end
consumed a large amount of memory. This negatively affected the overall compile time and
the amount of used system resources. With this update, the C++ front end has been
optimized to use less resources in this scenario.
Enhance m e nt s
118
B Z #6 9 6 14 5
This update adds support for new " -mfsgsbase" , " -mf16c" , and " -mrdrnd" command line
options, as well as corresponding intrinsics to the immintrin.h header file. This allows for
reading FS and GS base registers, retrieving random data from the random data generator,
and converting between floating point and half-precision floating-point types.
B Z #6 9 6 370
GCC now supports AMD 's next generation processors. These processors can now be
specified on the command line via the " -march=" and " -mtune=" command line options.
B Z #6 9 6 4 9 5
GCC now supports Intel's next generation processor instrinsics and instructions for
reading the hardware random number generator.
All users of gcc are advised to upgrade to these updated packages, which fix these bugs and add
these enhancements.
4 .69. gdb
4 .69.1. RHBA-2011:1699 — gdb bug fix and enhancement updat e
Updated gdb packages that fix multiple bugs and add three enhancements are now available for Red
The GNU D ebugger (GD B) allows users to debug programs written in C, C++, and other languages
by executing them in a controlled fashion and then printing out their data.
Bug Fixe s
B Z #6 6 9 4 32
Prior to this update, GD B could stop on error when trying to access the libpthread shared
library before the library was relocated. Fixed GD B lets the relocations to be resolved first,
making such program debuggable.
B Z #6 6 9 4 34
The Intel Fortran Compiler records certain debug info symbols in uppercase but the
gfortran compiler writes case-insensitive symbols in lowercase. As a result, GD B could
terminate unexpectedly when accessing uppercase characters in the debug information
from the Intel Fortran Compiler. With this update, GD B properly implements case
insensitivity and ignores the symbols case in the symbol files.
B Z #6 9 2386
When the user selected the " -statistics" option with a negative number as a result, GD B
printed the minus sign twice. This has been fixed and GD B now displays negative numbers
with one minus sign only.
B Z #6 9 79 00
On the PowerPC and the IBM System z architectures, GD B displayed only LWP (lightweight process) identifiers which matched the Linux TID (Thread Identifier) values for the
threads found in the core file. GD B has been fixed to initialize the libthread_db threads
debugging library when accessing the core file. GD B now correctly displays the pthread_t
119
identifier in addition to the LWP identifier on the aforementioned architectures.
B Z #7024 27
Structure field offsets above 65535 described by the D WARF
D W_AT_data_member_location attribute were improperly interpreted as a 0 value. GD B has
been modified and can now handle also large structures and their fields.
B Z #704 010
The difference between the very closely related " ptype" and " whatis" commands was not
clearly defined in the gdb info manual. D etailed differences between these commands have
been described in the manual.
B Z #712117
Prior to this update, the " info sources" subcommand printed only relative paths to the
source files. GD B has been modified to correctly display the full path name to the source
file.
B Z #7304 75
Modifying a string in the executable using the " -write" command line option could fail with
an error if the executable was not running. With this update, GD B can modify executables
even before they are started.
Enhance m e nt s
B Z #6 9 6 89 0
With this update, Float16 instructions on future Intel processors are now supported.
B Z #6 9 8001
D ebugged programs can open many shared libraries on demand at runtime using the
dlopen() function. Prior to this update, tracking shared libraries that were in use by the
debugged program could lead to overhead. The debugging performance of GD B has been
improved: the overhead is now lower if applications load many objects.
B Z #71814 1
Prior to this update, GD B did not handle D WARF 4 .debug_types data correctly. Now, GD B
can correctly process data in the D WARF 4 format.
All GD B users are advised to upgrade to these updated gdb packages, which fix these bugs and add
these enhancements.
4 .70. gdm
4 .70.1. RHBA-2012:14 4 7 — gdm bug fix updat e
Updated gdm packages that fix a bug are now available for Red Hat Enterprise Linux 6 Extended
Update Support.
The GNOME D isplay Manager (GD M) is a highly configurable reimplementation of XD M, the X
D isplay Manager. GD M allows you to log into your system with the X Window System running and
supports running several different X sessions on your local machine at the same time.
120
B u g Fix
B Z #86 06 4 5
When gdm was used to connect to a server via XD MCP (X D isplay Manager Control
Protocol), another connection to a remote system using the " ssh -X" command resulted in
wrong authorization with the X server. Consequently, applications such as xterm could not
be displayed on the remote system. This update provides a compatible MIT-MAGICCOOKIE-1 key in the described scenario, thus fixing this bug.
All users of gdm are advised to upgrade to these updated packages, which fix this bug.
4 .70.2. RHBA-2011:1721 — gdm bug fix updat e
Updated gdm packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The GNOME D isplay Manager (GD M) provides the graphical login screen, shown shortly after boot
up, log out, and when user-switching.
Bug Fixe s
B Z #6 6 16 18
GD M did not properly queue up multiple authentication messages so that messages could
quickly be overwritten by newer messages. The queueing mechanism has been modified,
and this problem no longer occurs.
B Z #6 284 6 2
If a Russian keyboard layout was chosen during system installation, the login screen was
configured to use Russian input for user names and passwords by default. However, GD M
did not provide any visible way to switch between keyboard layouts, and pressing Left Shift
and Right Shift keys did not cause the input to change to ASCII mode in GD M.
Consequently, users were not able to log in to the system. With this update, GD M allows
users to switch keyboard layout properly using the keyboard layout indicator, and users
can now log in as expected.
B Z #723515
GD M did not properly release file descriptors used with XD MCP indirect queries. As a
consequence, the number of file descriptors used by GD M increased with every XD MCP
chooser restart, which, in some cases, led to memory exhaustion and a GD M crash. The
underlying GD M code has been modified to manage file descriptors properly, and the
problem no longer occurs in this scenario.
B Z #6 706 19
In multi-monitor setups, GD M always displayed the login window on the screen that was
determined as active by the mouse pointer position. This behavior caused unpredictable
login window placement in dual screen setups when using the NVID IA's TwinView D ualD isplay Architecture because the mouse pointer initially appeared exactly between the
monitors outside of the visible screen. GD M now uses new logic to ensure that the initial
placement of the mouse pointer and the login window are consistently on one screen.
B Z #6 4 54 53
The GD M simple greeter login window displayed " Suspend" , " Restart" and " Shut D own"
buttons even though the buttons were disabled in GD M configuration and the PolicyKit
121
toolkit disallowed any stop, restart, suspend actions on the system. With this update, GD M
logic responsible for setting up the greeter login window has been modified and these
buttons are no longer displayed under these circumstances
B Z #6 2256 1
When authenticating to a system and the fingerprint authentication method was enabled,
but no fingerprint reader was attached to the machine, GD M erroneously displayed
authentication method buttons for a brief moment. With this update, GD M displays
authentication method buttons only if the authentication method is enabled and a reading
device is connected.
B Z #7084 30
GD M did not properly handle its message queue. Therefore, when resetting a password on
user login, GD M displayed an error message from a previous unsuccessful attempt. The
queueing mechanism has been modified, and this problem no longer occurs.
B Z #6 88158
When logging into a system using LD AP authentication, GD M did not properly handle
LD AP usernames containing backslash characters. As a consequence, such usernames
were not recognized and users were not able to log in even though they provided valid
credentials. With this update, GD M now handles usernames with backslash characters
correctly and users can log in as expected.
All users of gdm are advised to upgrade to these updated packages, which fix these bugs.
4 .70.3. RHEA-2012:04 35 — gdm enhancement updat e
Updated gdm packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
The GNOME D isplay Manager (GD M) provides the graphical login screen, shown shortly after boot
up, logout, and when user-switching.
Enhance m e nt
B Z #79 9 9 4 0
Previously, X server audit messages were not included by default in the X server log. Now,
those messages are unconditionally included in the log. Also, with this update, verbose
messages are added to the X server log if debugging is enabled in the /etc/gdm/custom.conf
file (by setting " Enable=true" in the [debug] section).
All users of gdm are advised to upgrade to these updated packages, which add this enhancement.
4 .71. ghost script
4 .71.1. RHSA-2012:0095 — Moderat e: ghost script securit y updat e
Updated ghostscript packages that fix multiple security issues are now available for Red Hat
Enterprise Linux 5 and 6.
122
Ghostscript is a set of software that provides a PostScript interpreter, a set of C procedures (the
Ghostscript library, which implements the graphics capabilities in the PostScript language) and an
interpreter for Portable D ocument Format (PD F) files.
Secu rit y Fixes
C VE- 2009 - 374 3
An integer overflow flaw was found in Ghostscript's TrueType bytecode interpreter. An
attacker could create a specially-crafted PostScript or PD F file that, when interpreted, could
cause Ghostscript to crash or, potentially, execute arbitrary code.
C VE- 2010- 2055
It was found that Ghostscript always tried to read Ghostscript system initialization files from
the current working directory before checking other directories, even if a search path that
did not contain the current working directory was specified with the " -I" option, or the " -P-"
option was used (to prevent the current working directory being searched first). If a user ran
Ghostscript in an attacker-controlled directory containing a system initialization file, it
could cause Ghostscript to execute arbitrary PostScript code.
C VE- 2010- 4 820
Ghostscript included the current working directory in its library search path by default. If a
user ran Ghostscript without the " -P-" option in an attacker-controlled directory containing
a specially-crafted PostScript library file, it could cause Ghostscript to execute arbitrary
PostScript code. With this update, Ghostscript no longer searches the current working
directory for library files by default.
Note
The fix for CVE-2010-4820 could possibly break existing configurations. To use the
previous, vulnerable behavior, run Ghostscript with the " -P" option (to always
search the current working directory first).
C VE- 2010- 4 054
A flaw was found in the way Ghostscript interpreted PostScript Type 1 and PostScript Type
2 font files. An attacker could create a specially-crafted PostScript Type 1 or PostScript
Type 2 font file that, when interpreted, could cause Ghostscript to crash or, potentially,
execute arbitrary code.
Users of Ghostscript are advised to upgrade to these updated packages, which contain backported
patches to correct these issues.
4 .72. glibc
4 .72.1. RHSA-2011-1526 — Low: glibc bug fix and enhancement updat e
Updated glibc packages that fix two security issues, numerous bugs, and add various
enhancements are now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having low security impact. Common
Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available
for each vulnerability from the CVE links associated with each description below.
123
The glibc packages contain the standard C libraries used by multiple programs on the system. These
packages contain the standard C and the standard math libraries. Without these two libraries, a
Linux system cannot function properly.
Secu rit y Fixes
C VE- 2009 - 506 4
A flaw was found in the way the ldd utility identified dynamically linked libraries. If an
attacker could trick a user into running ldd on a malicious binary, it could result in arbitrary
code execution with the privileges of the user running ldd.
C VE- 2011- 1089
It was found that the glibc addmntent() function, used by various mount helper utilities, did
not handle certain errors correctly when updating the mtab (mounted file systems table) file.
If such utilities had the setuid bit set, a local attacker could use this flaw to corrupt the mtab
file.
Red Hat would like to thank D an Rosenberg for reporting the CVE-2011-1089 issue.
B u g Fixes
B Z #6 76 4 6 7
The installation of the glibc-debuginfo.i686 and glibc-debuginfo.x86_64 packages failed with a
transaction check error due to a conflict between the packages. This update adds the glibcdebuginfo-common package that contains debuginfo data that are common for all platforms.
The package depends on the glibc-debuginfo package and the user can now install
debuginfo packages for different platforms on a single machine.
B Z #6 76 59 1
When a process corrupted its heap, the mal l o c() function could enter a deadlock while
creating an error message string. As a result, the process could become unresponsive. With
this update, the process uses the mmap() function to allocate memory for the error message
instead of the mal l o c() function. The mal l o c() deadlock therefore no longer occurs
and the process with a corrupted heap now aborts gracefully.
B Z #6 9 2838
India has adopted a new symbol for the Indian rupee leaving the currency symbol for its
Unicode U20B9 outdated. The rupee symbol has been updated for all Indian locales.
B Z #6 9 4 386
The strncmp() function, which compares characters of two strings, optimized for IBM
POWER4 and POWER7 architectures could return incorrect data. This happened because
the function accessed the data past the zero byte (\0) of the string under certain
circumstances. With this update, the function has been modified to access the string data
only until the zero byte and returns correct data.
B Z #6 9 9 724
The crypt() function could cause a memory leak if used with a more complex salt. The
leak arose when the underlying NSS library attempted to call the dlopen() function from
libnspr4.so with the RTLD _NOLOAD flag. With this update, the dlopen() with the
RTLD _NOLOAD flag has been fixed and the memory leak no longer occurs.
124
B Z #700507
On startup, the nscd daemon logged the following error into the log file if SELinux was
active:
rhel61 nscd: Can't send to audit system: USER_AVC avc: netlink
poll: error 4#012: exe="?" sauid=28 hostname=? addr=? terminal=?
This happened because glibc failed to preserve the respective capabilities on UID change
in the AVC thread. With this update, the AVC thread preservers the respective capabilities
after the nscd startup.
B Z #7034 81, B Z #7034 80
When a host was temporarily unavailable, the nscd daemon cached an error, which did
not signalize that the problem was only transient, and the request failed. With this update,
the daemon caches a value signalizing that the unavailability is temporary and retries to
obtain new data after a set time limit.
B Z #7054 6 5
When a module did not provide its own method for retrieving a user list of supplemental
group memberships, the libc library's default method was used instead and all groups
known to the module were examined to acquire the information. Consequently, applications
which attempted to retrieve the information from multiple threads simultaneously, interfered
with each other and received an incomplete result set. This update provides a modulespecific method which prevents this interference.
B Z #706 9 03
On machines using the Network Information Service (NIS), the g etpwui d () function failed
to resolve UID s to user names when using the passwd utility in the compat mode with a big
netgroup. This occurred because glibc was compiled without the -D USE_BIND INGD IR=1
option. With this update, glibc has been compiled correctly and g etpwui d () function
works as expected.
B Z #7119 27
A debugger could have been presented with an inconsistent state after loading a library.
This happened because the ld-linux program did not relocate the library before calling the
debugger. With this update, the library is relocated prior to the calling of the debugger and
the library is accessed successfully.
B Z #714 823
The getaddrinfo() function internally uses the simpler gethostbyaddr() functions. In some
cases, this could result in incorrect name canonicalization. With this update, the code has
been modified and the getaddrinfo() function uses the gethostbyaddr() functions only when
appropriate.
B Z #718057
The getpwent() lookups to LD AP (Lightweight D irectory Access Protocol) did not return any
netgroup users if the NIS (Network Information Service) domain for individual users was not
defined in /etc/passwd . This happened when the nss_compat mode was set as the mode
was primarily intended for use with NIS. With this update, getpwent returns LD AP netgroup
users even if the users have no NIS domain defined.
B Z #730379
125
The l i breso l v library is now compiled with the stack protector enabled.
B Z #73104 2
The pthread_create() function failed to cancel a thread properly if setting of the real time
policy failed. This occurred the because __pthread_enable_asynccancel() function as a
non-leaf function did not align the stack on the 16-byte boundary as required by AMD 64
ABI (Application Binary Interface). With this update, the stack alignment is preserved accros
functions.
B Z #736 34 6
When calling the setg ro ups function after creating threads, glibc did not cross-thread
signal and supplementary group ID s were set only for the calling thread. With this update,
the cross-thread signaling in the function has been introduced and supplementary group
ID s are set on all involved threads as expected.
B Z #737778
The setl o cal e() function could fail. This happened because parameter values were
parsed in the set locale. With this update, the parsing is locale-independent.
B Z #7386 6 5
A write barrier was missing in the implementation of addition to linked list of threads. This
could result in the list corruption after several threads called the fork() function at the same
time. The barrier has been added and the problem no longer occurs.
B Z #739 184
Statically-linked binaries that call the g etho stbyname() function terminated because of
division by zero. This happened because the getpagesize() function required the
dl_pagesize field in the dynamic linker's read-only state to be set. However, the field was not
initialized when a statically linked binary loaded the dynamic linker. With this update, the
getpagesize() function no longer requires a non-zero value in the dl_pagesize field and
falls back to querying the value through the syscall() function if the field value is not set.
En h an cemen t s
B Z #71224 8
For some queries, the pathconf() and fpathconf() functions need details about each
filesystem type: mapping of its superblock magic number to various filesystem properties
that cannot be queried from the kernel. This update adds support for the Lustre file system
to pathconf and fpathconf.
B Z #6 9 559 5
The glibc package now provides functions optimized for the Intel 6 series and Intel Xeon
5600 processors.
B Z #6 9 59 6 3
The glibc package now supports SSE2 (Streaming SIMD Extensions 2) instructions on the
strl en() function for the AMD FX processors.
B Z #7119 87
This update adds the f_flags field to support the statvfs output received from kernel.
126
B Z #73876 3
The Linux kernel supports the UD P IP _MULT IC AST _ALL socket option, which provides
the ability to turn off IP Multicast multiplexing. This update adds the option to glibc.
Users are advised to upgrade to these updated glibc packages, which contain backported patches to
resolve these issues and add these enhancements.
4 .72.2. RHSA-2012:0058 — Moderat e: glibc securit y and bug fix updat e
Updated glibc packages that fix two security issues and three bugs are now available for Red Hat
Enterprise Linux 6.
The glibc packages contain the standard C libraries used by multiple programs on the system. These
packages contain the standard C and the standard math libraries. Without these two libraries, a
Linux system cannot function properly.
Secu rit y Fixes
C VE- 2009 - 5029
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the
glibc library read timezone files. If a carefully-crafted timezone file was loaded by an
application linked against glibc, it could cause the application to crash or, potentially,
execute arbitrary code with the privileges of the user running the application.
C VE- 2011- 4 6 09
A denial of service flaw was found in the remote procedure call (RPC) implementation in
glibc. A remote attacker able to open a large number of connections to an RPC service that
is using the RPC implementation from glibc, could use this flaw to make that service use an
excessive amount of CPU time.
Bug Fixe s
B Z #754 116
glibc had incorrect information for numeric separators and groupings for specific French,
Spanish, and German locales. Therefore, applications utilizing glibc's locale support
printed numbers with the wrong separators and groupings when those locales were in use.
With this update, the separator and grouping information has been fixed.
B Z #76 6 4 84
The RHBA-2011:1179 glibc update introduced a regression, causing glibc to incorrectly
parse groups with more than 126 members, resulting in applications such as " id" failing to
list all the groups a particular user was a member of. With this update, group parsing has
been fixed.
B Z #76 9 59 4
glibc incorrectly allocated too much memory due to a race condition within its own malloc
routines. This could cause a multi-threaded application to allocate more memory than was
expected. With this update, the race condition has been fixed, and malloc's behavior is now
127
consistent with the documentation regarding the MALLOC_ARENA_TEST and
MALLOC_ARENA_MAX environment variables.
Users should upgrade to these updated packages, which contain backported patches to resolve
these issues.
4 .72.3. RHSA-2012:0393 — Moderat e: glibc securit y and bug fix updat e
Updated glibc packages that fix one security issue and three bugs are now available for Red Hat
Enterprise Linux 6.
The glibc packages provide the standard C and standard math libraries used by multiple programs
on the system. Without these libraries, the Linux system cannot function correctly.
Secu rit y Fix
C VE- 2012- 086 4
An integer overflow flaw was found in the implementation of the printf functions family. This
could allow an attacker to bypass FORTIFY_SOURCE protections and execute arbitrary
code using a format string flaw in an application, even though these protections are
expected to limit the impact of such flaws to an application abort.
Bug Fixe s
B Z #7839 9 9
Previously, the dynamic loader generated an incorrect ordering for initialization according
to the ELF specification. This could result in incorrect ordering of D SO constructors and
destructors. With this update, dependency resolution has been fixed.
B Z #79 5328
Previously, locking of the main malloc arena was incorrect in the retry path. This could
result in a deadlock if an sbrk request failed. With this update, locking of the main arena in
the retry path has been fixed. This issue was exposed by a bug fix provided in the RHSA2012:0058 update.
B Z #79 9 259
Calling memcpy with overlapping arguments on certain processors would generate
unexpected results. While such code is a clear violation of ANSI/ISO standards, this update
restores prior memcpy behavior.
All users of glibc are advised to upgrade to these updated packages, which contain patches to
resolve these issues.
4 .72.4 . RHBA-2012:0566 — glibc bug fix updat e
Updated glibc packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The glibc packages provide the standard C and standard math libraries used by multiple programs
on the system. Without these libraries, the Linux system cannot function correctly.
128
Bug Fixe s
B Z #802855
Previously, glibc looked for an error condition in the wrong location and failed to process a
second response buffer in the gaih_getanswer() function. As a consequence, the
getaddrinfo() function could not properly return all addresses. This update fixes an
incorrect error test condition in gaih_getanswer() so that glibc now correctly parses the
second response buffer. The getaddrinfo() function now correctly returns all addresses.
B Z #813859
Previously, if the nscd daemon received a CNAME (Canonical Name) record as a response
to a D NS (D omain Name System) query, the cached D NS entry adopted the TTL (Time to
Live) value of the underlying " A" or " AAAA" response. This caused the nscd daemon to wait
for an unexpectedly long time before reloading the D NS entry. With this update, nscd uses
the shortest TTL from the response as the TTL value for the entire record. D NS entries are
reloaded as expected in this scenario.
All users of glibc are advised to upgrade to these updated packages, which fix these bugs.
4 .73. gmp
4 .73.1. RHBA-2012:0365 — gmp bug fix updat e
An updated gmp package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The gmp package contains GNU MP, a library for arbitrary precision arithmetic, signed integers
operations, rational numbers and floating point numbers. GNU MP is designed for speed, for both
small and very large operands.
Bug Fix
B Z #79 8771
Previously, the interface provided by the gmp library was changed. This resulted in one
exported symbol being absent in Red Hat Enterprise Linux 6 (when compared to the Red
Hat Enterprise Linux 5 system). In addition, the symbol could have been reported as
missing under certain circumstances. To fix this problem, this update adds the missing
symbol back to the library.
All users of gmp are advised to upgrade to this updated package, which fixes this bug.
4 .74 . gnome-power-manager
4 .74 .1. RHBA-2012:1228 — gnome-packagekit bug fix updat e
Updated gnome-packagekit packages that fix a bug are now available for Red Hat Enterprise Linux 6
The gnome-packagekit packages provide session applications for the PackageKit API.
B u g Fix
B Z #8229 4 6
129
Previously, it was possible for the user to log out of the system or shut it down while the
PackageKit update tool was running and writing to the RPM database (rpmdb).
Consequently, rpmdb could become damaged and inconsistent due to the unexpected
termination and cause various problems with subsequent operation of the rpm, yum, and
PackageKit utilities. This update modifies PackageKit to not allow shutting down the system
when a transaction writing to rpmdb is active, thus fixing this bug.
Users of gnome-packagekit are advised to upgrade to these updated packages, which fix this bug.
4 .74 .2. RHBA-2012:0686 — gnome-power-manager bug fix updat e
Updated gnome-power-manager packages that fix one bug are now available for Red Hat Enterprise
Linux 6.
GNOME Power Manager uses the information and facilities provided by D eviceKit-power to display
icons and handle user callbacks in an interactive GNOME session.
B u g Fix
B Z #80026 7
After resuming the system or re-enabling the display, an icon could appear in the
notification area with an erroneous tooltip that read " Session active, not inhibited, screen
idle. If you see this test, your display server is broken and you should notify your
distributor." and included a URL to an external web page. This error message was
incorrect, had no effect on the system and could be safely ignored. In addition, linking to an
external URL from the notification and status area is unwanted. To prevent this, the icon is
no longer used for debugging idle problems.
All users are advised to upgrade to these updated gnome-power-manager packages, which fix this
bug.
4 .75. gnome-screensaver
4 .75.1. RHEA-2011:1652 — gnome-screensaver bug fix and enhancement
updat e
An updated gnome-screensaver package that fixes various bugs and adds one enhancement is now
The gnome-screensaver package contains the GNOME project's official screen saver program. It is
designed for improved integration with the GNOME desktop, including themeability, language
support, and Human Interface Guidelines (HIG) compliance. It also provides screen-locking and fast
user-switching from a locked screen.
Bug Fixe s
B Z #6 4 8850
When the user locked the screen and the X Window System did not support the X Resize,
Rotate (XRandR) or XF86VM gamma fade extensions, then the gnome-screensaver utility
terminated with a segmentation fault. With this update, additional checks are made before
calling the fade_setup() function, and gnome-screensaver no longer terminates.
B Z #6 9 789 2
130
Prior to this update, the Unlock dialog box arbitrarily changed between the monitors in dual
head setups, based on the position of the mouse pointer. The Unlock dialog box is now
placed on a consistent monitor instead of where the mouse is located.
B Z #719 023
Previously, when docking a laptop and using an external monitor, parts of the background
got cut off due to incorrect logic for determining monitor dimensions. With this update, the
source code is modified and the login screen is now displayed correctly.
B Z #74 089 2
Previously, in rare cases, the screen saver entered a deadlock if monitors were removed
during the fade up. The screen was locked as a consequence. This update modifies
gnome-screensaver so that the screen saver responds as expected.
Enhance m e nt
B Z #6 77580
Previously, there was no indicator of the keyboard layout when the screen was locked.
Users who used more than one layout did not know which layout was active. Consequently,
users could be forced to type the password several times. This update adds the missing
keyboard layout indicator.
All users of gnome-screensaver are advised to upgrade to this updated package, which fixes these
bugs and adds this enhancement.
4 .76. gnome-session
4 .76.1. RHEA-2011:1654 — gnome-session bug fix and enhancement updat e
Updated gnome-session packages that fix a bug and add an enhancement are now available for
The gnome-session package manages the GNOME desktop session. It starts up the other core
components of GNOME and handles logout and saving of the session.
Bug Fix
B Z #6 6 4 516
Prior to this update, the gnome-session utility may have improperly saved desktop
sessions. As a consequence, when logging in, the running applications were incorrectly
collapsed from multiple workspaces into the first workspace and their initial position was
not restored. This has been fixed: applications are now restored in their original
workspaces and correctly positionally placed.
En h an cemen t
B Z #6 2284 9
Prior to this update, users were not able to manage multiple custom GNOME sessions while
being logged in. Now, multiple sessions can be managed under the Options tab of System > Preferences -> Startup Applications.
131
Users are advised to upgrade to these updated gnome-session packages, which resolve this bug
and add this enhancement.
4 .77. gnome-syst em-monit or
4 .77.1. RHEA-2011:1612 — gnome-syst em-monit or enhancement updat e
An enhanced gnome-system-monitor package that provides an enhancement is now available for
The gnome-system-monitor package contains a tool which allows to graphically view and
manipulate the running processes on the system. It also provides an overview of available resources
such as CPU and memory.
Enhance m e nt
B Z #57159 7
Previously, the CPU History graph could be hard to read if it displayed large numbers of
CPUs. This update modifies the design: scrollbars were added for easier manipulation of
the window and random color is now generated to each CPU.
Users of gnome-system-monitor are advised to upgrade to this updated package, which adds this
enhancement.
4 .78. gnome-t erminal
4 .78.1. RHBA-2011:1172 — gnome-t erminal bug fix updat e
An updated gnome-terminal package that fixes one bug is now available for Red Hat Enterprise Linux
6.
The gnome-terminal package contains a terminal emulator for GNOME. It supports translucent
backgrounds, opening multiple terminals in a single window (tabs) and clickable URLs.
Bug Fix
B Z #6 55132
Previously, the regular expression used to find URLs in the text was missing a colon
character. As a consequence, the URL containing a colon was not interpreted correctly.
With this update, a colon character has been added to the regular expression so that the
URL is now properly interpreted.
All gnome-terminal users are advised to upgrade to this updated package, which fixes this bug.
4 .79. gnut ls
4 .79.1. RHSA-2012:04 29 — Import ant : gnut ls securit y updat e
Updated gnutls packages that fix two security issues are now available for Red Hat Enterprise Linux
6.
132
The GnuTLS library provides support for cryptographic algorithms and for protocols such as
Transport Layer Security (TLS).
Secu rit y Fixes
C VE- 2012- 1573
A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a
TLS/SSL client or server to crash when processing a specially-crafted TLS record from a
remote TLS/SSL connection peer.
C VE- 2011- 4 128
A boundary error was found in the gnutls_session_get_data() function. A malicious
TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary
code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data()
before checking the real size of the session data provided by the server.
Red Hat would like to thank Matthew Hall of Mu D ynamics for reporting CVE-2012-1573.
Users of GnuTLS are advised to upgrade to these updated packages, which contain backported
patches to correct these issues. For the update to take effect, all applications linked to the GnuTLS
library must be restarted, or the system rebooted.
4 .80. gpm
4 .80.1. RHBA-2011:1092 — gpm bug fix updat e
Updated gpm packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The gpm packages contain a program handling mouse services on a system console device.
Bug Fix
B Z #6 84 9 20
Prior to this update, it was not possible to build the gpm packages on the supported
platforms if the emacs package was installed. This problem has been resolved with this
update and no longer occurs.
All users of gpm are advised to upgrade to these updated packages, which fix this bug.
4 .81. gpxe
4 .81.1. RHBA-2011:1765 — gpxe bug fix updat e
Updated gpxe packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The gpxe packages provide an open source Preboot Execution Environment (PXE) implementation
and bootloader. gPXE also supports additional protocols such as D NS, HTTP, iSCSI and ATA over
Ethernet.
133
Bug Fix
B Z #74 389 3
Prior to this update, PXE failed to boot a virtual machine which used the virtio network
interface card (NIC). An upstream patch, which incorporates the latest upstream gPXE
paravirtualized network adapter (virtio-net) driver and removes the legacy Etherboot virtionet driver, has been applied to fix this problem. Now, PXE can successfully boot virtual
machines that use virtio NIC.
All users of gpxe are advised to upgrade to these updated packages, which fix this bug.
4 .82. graphviz
4 .82.1. RHBA-2011:0965 — graphviz bug fix updat e
Updated graphviz packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
Graphviz is graph visualization software used to represent structural information as diagrams,
abstract graphs or networks.
Bug Fixe s
B Z #6 24 6 58
Several links in the Graphviz D ocumentation Index file led to nonexistent or incorrectly
named files. This update fixes these links so that their targets resolve correctly.
B Z #6 24 6 9 0
The graphviz test suite was disabled on the PowerPC, 64-bit PowerPC and SPARC64
architectures due to unexpected terminations with segmentation faults. The test code used
in the test suite did not set the TextLayout plugin correctly, which led to the crash of the test
suite. This has been fixed and the test suite passes on all architectures.
B Z #6 4 024 7
Prior to this update, the About dialog box displayed " <unknown>" instead of the real name
of the D otEdit utility. This has been fixed and the name is now displayed correctly.
B Z #6 79 715
When using the graphviz utility with PHP, the gv.so module did not load and displayed the
following error message:
/usr/lib64/php/modules/gv.so' - /usr/lib64/php/modules/gv.so:
undefined symbol: zend_error_noreturn in Unknown on line 0
This was caused by the SWIG tool which used the zend_error_noreturn() function to build
the PHP module. SWIG has been modified and the bug no longer occurs.
All users of graphviz are advised to upgrade to these updated packages, which fix these bugs.
4 .83. grub
134
4 .83.1. RHBA-2011:1720 — grub bug fix and enhancement updat e
An updated grub package that fixes three bugs and adds two enhancements is now available for
The GRUB utility is responsible for booting the operating system kernel.
Bug Fixe s
B Z #6 774 6 8
D ue to an error in the underlying source code, previous versions of GRUB may have failed
to boot in Unified Extensible Firmware Interface (UEFI) mode. This happened, because
GRUB was making UEFI calls without aligning the stack pointer to a 16-byte boundary.
With this update, a patch has been applied to correct this error, and GRUB now boots in
UEFI mode as expected.
B Z #736 833
Prior to this update, an attempt to install GRUB on a CCISS device may have caused the
grub-install utility to report the following error:
expr: non-numeric argument
When this happened, grub-install failed to install GRUB on this device, but incorrectly
reported success and returned a zero exit status. This update applies a patch that ensures
that GRUB can now be successfully installed on such devices.
B Z #74 6 106
When looking for its configuration file, the previous versions of GRUB did not respect
vendor-specific EFI device path. With this update, the underlying source code has been
adapted to use the vendor-specific EFI-device path as expected.
Enhance m e nt s
B Z #6 29 4 08
Prior to this update, the GRUB boot loader was unable to boot from boot drives that were
larger than 2.2 TB. This update adds support for such devices on UEFI systems.
B Z #6 71355
On BIOS-based systems, previous versions of GRUB were only able to boot from first eight
disk drives. This update allows GRUB to boot from up to 128 disk drives on these systems.
All users of grub are advised to upgrade to this updated package, which fixes these bugs and adds
these enhancements.
4 .84 . guile
4 .84 .1. RHBA-2011:0855 — guile bug fix updat e
An updated guile package that fixes one bug is now available for Red Hat Enterprise Linux 6.
135
GUILE (GNU's Ubiquitous Intelligent Language for Extension) is a library implementation of the
Scheme programming language, written in C. GUILE provides a machine-independent execution
platform that can be linked in as a library during the building of extensible programs.
Bug Fix
B Z #6 59 6 74
D ue to a problem in the build test suite, the guile package failed to build. The problem has
been resolved in this update so that the guile package now builds properly.
All users of guile are advised to upgrade to this updated package, which fixes this bug.
4 .85. ht t pd
4 .85.1. RHSA-2012:0128 — Moderat e: ht t pd securit y updat e
Updated httpd packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 6.
The Apache HTTP Server is a popular web server.
Secu rit y Fix
C VE- 2011- 36 39 , C VE- 2011- 4 317
It was discovered that the fix for CVE-2011-3368 (released via RHSA-2011:1391) did not
completely address the problem. An attacker could bypass the fix and make a reverse proxy
connect to an arbitrary server not directly accessible to the attacker by sending an HTTP
version 0.9 request, or by using a specially-crafted URI.
C VE- 2012- 0053
The httpd server included the full HTTP header line in the default error page generated
when receiving an excessively long or malformed header. Malicious JavaScript running in
the server's domain context could use this flaw to gain access to httpOnly cookies.
C VE- 2011- 36 07
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way
httpd performed substitutions in regular expressions. An attacker able to set certain httpd
settings, such as a user permitted to override the httpd configuration for a specific directory
using a " .htaccess" file, could use this flaw to crash the httpd child process or, possibly,
execute arbitrary code with the privileges of the " apache" user.
C VE- 2012- 0031
A flaw was found in the way httpd handled child process status information. A malicious
program running with httpd child process privileges (such as a PHP or CGI script) could
use this flaw to cause the parent httpd process to crash during httpd service shutdown.
136
All httpd users should upgrade to these updated packages, which contain backported patches to
correct these issues. After installing the updated packages, the httpd daemon will be restarted
automatically.
4 .85.2. RHBA-2011:1630 — ht t pd bug fix updat e
Updated httpd packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The Apache HTTP Server is a popular web server.
Bug Fixe s
B Z #6 9 4 9 39
The Apache module " mod_proxy" implements a proxy or gateway for the Apache web
server. The " ProxyErrorOverride On" option did not work if used with " mod_proxy_ajp" , the
AJP support module for mod_proxy. Consequently when accessing a 404 URL in the
" /static" context, which was proxied with AJP, the 404 page from the proxy was displayed
rather than the 404 page from Apache itself. This update corrects the code and accessing
404 URLs now works as intended, via Apache, as defined in " ErrorD ocument" .
B Z #700074
When a backend server sends data via SSL, and is using chunked transfer encoding, the
backend splits the chunk between two different SSL blocks. Prior to this update, when
transferring data via SSL through a reverse proxy implemented with Apache, " mod_proxy" ,
and " mod_ssl" , the end of the first SSL block was sometimes lost and the length of the next
chunk was thus invalid. Consequently, files were sometimes corrupted during transfer via
SSL. This updates implements a backported fix to this problem and the error no longer
occurs.
B Z #700075
The " FilterProvider" directive of the " mod_filter" module was unable to match against nonstandard HTTP response headers. Consequently, output content data was not filtered or
processed as expected by httpd in certain configurations. With this update, a backported
patch has been applied to address this issue, and the FilterProvider directive is now able to
match against non-standard HTTP response headers as expected.
B Z #70039 3
In situations where httpd could not allocate memory, httpd sometimes terminated
unexpectedly with a segmentation fault rather than terminating the process with an error
message. With this update, a patch has been applied to correct this issue and httpd no
longer crashes in the scenario described.
B Z #714 704
Server Name Indication (SNI) sends the name of the virtual domain as part of the TLS
negotiation. Prior to this enhancement, if a client sent the wrong SNI data the client would
be rejected. With this update, in configurations where SNI is not required, " mod_ssl" can
ignore the SNI hostname " hint" .
B Z # 7209 80
137
Prior to this update, httpd terminated unexpectedly on startup with a segmentation fault
when proxy client certificates were shared across multiple virtual hosts (using the
SSLProxyMachineCertificateFile directive). With this update a patch has been applied and
httpd no longer crashes in the scenario described.
B Z #729 585
When the " SSLCryptoD evice" config variable in " ssl.conf" was set to an unknown or invalid
value, the httpd daemon would terminate unexpectedly with a segmentation fault at startup.
With this update the code has been corrected, httpd no longer crashes, and httpd will issue
an appropriate error message in this scenario.
B Z #7379 6 0
If using mod_proxy_ftp, an httpd process could terminated unexpectedly with a
segmentation fault when tests were made on an IPv6 localhost enabled machine. This
update implements improvements to the code and the mod_proxy_ftp process no longer
crashes in the scenario described.
B Z #74 024 2
When using the " mod_cache" module, by default, the " CacheMaxExpire" directive is only
applied to responses which do not specify their expiry date. Previously, it was not possible
to limit the maximum expiry time for all resources. This update applies a patch which adapts
the mod_cache module to provide support for " hard" as a second argument of the
CacheMaxExpire directive, allowing a maximum expiry time to be enforced for all resources.
B Z #6 76 6 34
The " mod_reqtimeout" module, when enabled, allows fine-grained timeouts to be applied
during request parsing. The mod_reqtimeout module has been backported from upstream
in this update.
All users of httpd are advised to upgrade to these updated packages, which fix these bugs.
4 .86. hwdat a
4 .86.1. RHEA-2011:1663 — hwdat a enhancement updat e
An updated hwdata package that adds various enhancements is now available for Red Hat
Enterprise Linux 6.
The hwdata package contains tools for accessing and displaying hardware identification and
configuration data.
Enhance m e nt s
B Z #6 8239 9
The pci.ids database has been updated with information about HP Laptop WiFi chipsets.
B Z #6 9 579 8
The pci.ids database has been updated with information about future Intel PCH (Platform
Controller Hub) devices.
B Z #712177
The pci.ids database has been updated with correct information about QLogic IBA7322
138
The pci.ids database has been updated with correct information about QLogic IBA7322
InfiniBand devices.
B Z #713070
The pci.ids database has been updated with information about future Atheros wireless
devices.
B Z #739 376
The pci.ids database has been updated with information about future Broadcom wireless
devices.
B Z #7289 09
The pci.ids database has been updated according to the latest upstream changes.
Users of hwdata are advised to upgrade to this updated package, which adds these enhancements.
4 .87. ibus
4 .87.1. RHBA-2011:164 5 — ibus bug fix updat e
Updated ibus packages that resolve an issue are now available for Red Hat Enterprise Linux 6.
The Intelligent Input Bus for Linux OS (IBus) is an input framework for Linux OS.
Bug Fix
B Z #6 6 7031
IBus did not work on a minimal installation of Red Hat Enterprise Linux 6 if no desktop
environment, such as KD E or GNOME, was installed. This issue was caused by the missing
dbus-x11 package, which IBus is dependent on. The dbus-x11 package is now included as
a prerequisite for IBus in the IBus spec file, and IBus now works as expected.
All users of ibus are advised to upgrade to these updated packages, which resolve this issue.
4 .88. ibus-ant hy
4 .88.1. RHBA-2011:1208 — ibus-ant hy bug fix updat e
An updated ibus-anthy package that fixes a bug is now available for Red Hat Enterprise Linux 6.
The ibus-anthy package contains the Anthy engine, which provides an input method for Japanese
based on the IBus (Intelligent Input Bus) platform.
Bug Fix
B Z #6 6 159 7
Previously, when changing the Candidate Window Page Size setting of Other under the
General tab, the im-chooser application had to be restarted for the changes to take effect.
This problem has been fixed and the changes made to Candidate Window Page Size now
apply immediately.
139
All users of ibus-anthy are advised to upgrade to this updated package, which resolves this bug.
4 .89. ibus-t able-erbi
4 .89.1. RHBA-2011:1274 — ibus-t able-erbi bug fix updat e
An updated ibus-table-erbi package that fixes two bugs is now available for Red Hat Enterprise Linux
6.
The ibus-table-erbi provides the Simplified Chinese input method, ErBi.
Bug Fixe s
B Z #712805
Prior to this update, the ibus-table-erbi spec file contained a redundant line which printed
the debug message " /usr/share/ibus-table/tables" at the end of installation. The line
indicated the working directory of the post-install script and has been removed to fix the
problem.
B Z #729 9 06
Previously, the table index was updated when running the post-install script of the ibustable-erbi package. This modified the size of the files, the MD 5 Message-D igest Algorithm
checksum and the access time of database files. As a consequence, the " rpm -V" command
failed with false positive warnings of the aforementioned changes due to the changes not
matching the values in the package metadata. This has been fixed: files that are expected to
be modified when running the post-install script are now specified with correct verify flags in
the spec file.
All users of ibus-table-erbi are advised to upgrade to this updated package, which resolves these
bugs.
4 .90. icedt ea-web
4 .90.1. RHBA-2011:1624 — icedt ea-web enhancement updat e
An updated icedtea-web package that fixes several bugs and adds various enhancements is now
IcedTea-Web provides a Java web browser plug-in, a Java Web Start implementation, and the
IcedTea Web Control Panel.
The icedtea-web package has been upgraded to upstream version 1.1.4, which provides a number of
Bug Fixe s
B Z #6 834 79
The Java Web Start window invoked by the " javaws -about" command contained out-ofdate information and could not be closed correctly. The information was out-dated because
the Java Network Launching Protocol (JNLP) XML file defined inadequate access
permissions to access the about.jnlp file, which contained the update information. With this
14 0
update, the about information has been moved to an accessible location. The window
failed to close as the respective process thread became unresponsive. Now, the window
contains up-to-date information and the thread closes correctly.
B Z #7186 9 3
MindTerm SSH Applet failed to work as it was using class
netscape.security.PrivilegeManager, which was not present in icedtea-web. This update
adds the class and the applet works as expected.
B Z #73134 5, B Z #731358
Java Web Start and IcedTea plug-in sometimes failed to run as they were calling a java
binary with a JD K-based path instead of a JRE-based path. With this update, the package
spec file contains the correct definition of the path construction and javaws and icedteaplugin call the correct java binary.
B Z #734 081
When running an application with javaws, javaws failed to use the proxy settings from
Firefox even though the respective setting was enabled (" Use browser settings" ) and failed
over to the " D IRECT" mode. This happened because javaws was looking for the D EFAULT
profile in the Firefox configuration file to acquire the current proxy settings. If it failed to
locate the section with the D EFAULT profile, the default " D IRECT" mode was applied. With
this update, javaws uses the settings from the last section under these circumstances.
B Z #74 179 6
Starting from version 10, Elluminate did not work with IcedTea-Web. This happened
because Elluminate specified Class-Path elements in its manifest file which caused a
conflict with the jnlp-specified JARs. With this update, the IcedTea-Web plug-in no longer
honors the Class-Path elements (just as the Oracle implementation) and Elluminate works
with IcedTea-Web as expected.
All users of icedtea-web are advised to upgrade to this updated package, which fixes these bugs and
4 .90.2. RHBA-2012:0372 — icedt ea-web bug fix updat e
An updated icedtea-web package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The icedtea-web package provides a Java web browser plug-in, a Java Web Start implementation,
and the IcedTea Web Control Panel.
The icedtea-web package has been upgraded to upstream version 1.1.5, which ensures that Firefox
10 and later does not terminate unexpectedly when LiveConnect is heavily used, and that Chrome
browser tabs no longer terminate unexpectedly during JavaScript execution. (BZ #800276)
Note
This update is not compatible with Firefox 3.6 and earlier. If you are using such a Firefox
version, upgrade to a later supported version before applying this update.
All users of icedtea-web are advised to upgrade to this updated package, which fixes these bugs.
4 .91. icu
14 1
4 .91. icu
4 .91.1. RHSA-2011:1815 — Moderat e: icu securit y updat e
Updated icu packages that fix one security issue are now available for Red Hat Enterprise Linux 5
and 6.
The International Components for Unicode (ICU) library provides robust and full-featured Unicode
services.
Secu rit y Fix
C VE- 2011- 4 59 9
A stack-based buffer overflow flaw was found in the way ICU performed variant
canonicalization for some locale identifiers. If a specially-crafted locale representation was
opened in an application linked against ICU, it could cause the application to crash or,
possibly, execute arbitrary code with the privileges of the user running the application.
All users of ICU should upgrade to these updated packages, which contain a backported patch to
resolve this issue. All applications linked against ICU must be restarted for this update to take effect.
4 .92. ImageMagick
4 .92.1. RHSA-2012:054 4 — Moderat e: ImageMagick securit y updat e
Updated ImageMagick packages that fix multiple security issues are now available for Red Hat
Enterprise Linux 6.
ImageMagick is an image display and manipulation tool for the X Window System that can read and
write multiple image formats.
Secu rit y Fix
C VE- 2012- 024 7
A flaw was found in the way ImageMagick processed images with malformed Exchangeable
image file format (Exif) metadata. An attacker could create a specially-crafted image file that,
when opened by a victim, would cause ImageMagick to crash or, potentially, execute
arbitrary code.
C VE- 2012- 024 8
A denial of service flaw was found in the way ImageMagick processed images with
malformed Exif metadata. An attacker could create a specially-crafted image file that, when
opened by a victim, could cause ImageMagick to enter an infinite loop.
C VE- 2010- 4 16 7
It was found that ImageMagick utilities tried to load ImageMagick configuration files from
14 2
the current working directory. If a user ran an ImageMagick utility in an attacker-controlled
directory containing a specially-crafted ImageMagick configuration file, it could cause the
utility to execute arbitrary code.
C VE- 2012- 0259
An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with
a large components count. An attacker could create a specially-crafted image file that, when
opened by a victim, could cause ImageMagick to access invalid memory and crash.
C VE- 2012- 026 0
A denial of service flaw was found in the way ImageMagick decoded certain JPEG images.
A remote attacker could provide a JPEG image with specially-crafted sequences of RST0 up
to RST7 restart markers (used to indicate the input stream to be corrupted), which once
processed by ImageMagick, would cause it to consume excessive amounts of memory and
CPU time.
C VE- 2012- 179 8
An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain
TIFF image files. A remote attacker could provide a TIFF image with a specially-crafted Exif
IFD value (the set of tags for recording Exif-specific attribute information), which once
opened by ImageMagick, would cause it to crash.
Red Hat would like to thank CERT-FI for reporting CVE-2012-0259, CVE-2012-0260, and CVE-20121798. CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse
Ylivainio of Codenomicon's CROSS project as the original reporters.
Users of ImageMagick are advised to upgrade to these updated packages, which contain backported
patches to correct these issues. All running instances of ImageMagick must be restarted for this
update to take effect.
4 .93. init script s
4 .93.1. RHBA-2011:1528 — init script s bug fix and enhancement updat e
An updated initscripts package that fixes number of bugs and adds various enhancements is now
The initscripts package contains system scripts to boot the system, change runlevels, activate and
deactivate most network interfaces, and shut the system down cleanly.
B u g Fixes
B Z #74 3222
Previously, the resto reco n utility did not change MLS (multi-level security) levels unless
the -F parameter was used. As a consequence, the /d ev and /d ev/pts filesystems were
not correctly labelled after boot in systems with configured MLS policy. This bug has been
fixed and the resto reco n -F command is now used for /d ev and /d ev/pts by default.
B Z #734 9 87
When an explicit configuration option, such as crashkernel = 128M, was specified to
reserve crash dump memory, the kexec-d i sabl e upstart job unconditionally freed up the
memory if the kd ump mechanism was not enabled. This action could not be reverted until a
reboot. With this update, kexec-d i sabl e job has been changed to not free reserved
14 3
memory, unless the crashkernel parameter is set to auto , thus fixing this bug.
B Z #6 75079
Previously, when the /etc/mo d pro be. d /bo nd i ng . co nf file or the mo d pro be. co nf
file was used to set the bonding options, the bond0 interface never came up after a service
restart because the arp_i p_targ et module was not restored. This bug has been fixed and
arp_i p_targ et is now restored when configured in one of these files.
B Z #6 9 8520
Previously, there was a bug in the rc. sysi ni t script that allowed to properly set a
hostname when more than one IP address was passed to the i pcal c utility. Even though it
was difficult to emulate such a scenario, the rc. sysi ni t script has been fixed to prevent
this bug, and i pcal c is now always passed only a single IP address.
B Z #700184
When a network interface was configured with the N et wo rkMan ag er utility to statically
assign an IP address or a prefix, then N et wo rkMan ag er was stopped, and the interface
was reset via the i fd o wn and i fup utilities, the interface lost its IP address. With this
update, the network scripts have been fixed to properly read the IP AD D R 0 parameter in
interface configuration files, and now IP addresses of such interfaces are preserved in the
described scenario.
B Z #7034 75
Previously, when two VLAN interfaces were bonded together, the /etc/i ni t. d /netwo rk
script got into a loop and became unresponsive, trying to resolve MAC addresses of the
interfaces. As a result, the server was prevented from completing its start-up sequence. With
this update, /etc/i ni t. d /netwo rk has been fixed, MAC addresses of VLAN interfaces
are now resolved properly, and bonds between such interfaces now work as expected.
B Z #70536 7
Previously, when the P R EFIX option was specified for the i fcfg utility while the NET MASK
option was undefined, the netmask was calculated without regard to the P R EFIX value.
With this update, the expand _co nfi g () function has been fixed to use the P R EFIX
properly, and the netmask is now calculated correctly in the described scenario.
B Z #702814
When a system needed to be restarted after an unexpected termination, root password was
not accepted to run the emergency shell. With this update, the rc. sysi ni t script has been
fixed to run the /bi n/pl ymo uth command instead of /usr/bi n/pl ymo uth, thus fixing
this bug. Additionally, other relevant scripts have been updated to properly work with the
separated /usr/ directory.
B Z #703210
D ue to a bug in the /etc/i ni t. d /hal t script, no mount point set up with the word nfs in
its path could be unmounted at reboot or shut down. This bug has been fixed and such
mount points are now unmounted properly.
B Z #6 81357
In Red Hat Entreprise Linux 6, when the emerg ency parameter was appended to the kernel
command line, the system failed to invoke the sulogin command. With this update, the rcSemerg ency task, which is run before the rc. sysi ni t script if emerg ency is passed to the
kernel, has been added, and sulogin is now properly invoked in the described scenario.
14 4
B Z #729 359
D ue to a bug in the /etc/sysco nfi g /netwo rk-scri pts/i fd o wn-eth script, the PID
file name passed to the d hcl i ent utility during a shutdown procedure did not include the
IP version prefix. Consequently, leases for IPv6 addresses could not be released. This bug
has been fixed and the shut down procedure now works properly both with the IPv4 and
IPv6 clients.
En h an cemen t s
B Z #6 9 224 0
Previously, the i fup and i fd o wn scripts explicitly ignored IPv6 configuration files that
contained an alias. With this update, clients properly utilize aliases on IPv6 devices in Red
Hat Enterprise Linux.
B Z #6 536 30, B Z #6 72202
There was a need to have a simple mechanism for troubleshooting network problems,
integrated into existing log monitoring facilities. With this update, network scripts have been
updated to report errors via the sysl o g utility, and the error messages now appear in
configured sysl o g channels.
B Z #6 80527
Previously, configuration options for the sysctl utility could only be changed in the
/etc/sysctl . co nf file. With this update, several scripts have been updated to also
recognize additional configuration files located in the /etc/sysctl . d / directory.
B Z #6 9 24 10
With this update, network start-up scripts have been enhanced to support all ethto o l
command options. These options can be set via the ET HT O O L_O P T S parameter in
configuration files located in the /etc/sysco nfi g /netwo rk-scri pts/ directory and
take effect after reboot.
B Z #6 9 6 788
With this update, start-up network scripts have been enhanced to set up static ARP
(Address Resolution Protocol) entries located in the /etc/ethers file, allowing to load
these entries early in the system startup.
Users of initscripts are advised to upgrade to this updated package, which fixes these bugs and
4 .93.2. RHBA-2012:0355 — init script s bug fix updat e
An updated initscripts package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The initscripts package contains basic system scripts to boot the system, change runlevels, activate
and deactivate most network interfaces, and shut the system down cleanly.
Bug Fix
B Z #789 056
The previous version of initscripts did not support IPv6 routing in the same way as IPv4
routing. IPv6 addressing and routing could be achieved only by specifying the " ip"
commands explicitly with the " -6" flag in the " /etc/sysconfig/network-scripts/rule-
14 5
D EVICE_NAME" configuration file (where " D EVICE_NAME" is a name of the respective
network interface). With this update, related network scripts have been modified to provide
support for IPv6-based policy routing. IPv6 routing is now configured separately in the the
" /etc/sysconfig/network-scripts/rule6-D EVICE_NAME" configuration file.
All users of initscripts are advised to upgrade to this updated package, which fixes this bug.
4 .94 . ipa
4 .94 .1. RHSA-2011:1533 — Moderat e: ipa securit y and bug fix updat e
An updated ipa package that fixes one security issue and several bugs is now available for Red Hat
Enterprise Linux 6.
Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are
available for each vulnerability from the CVE link associated with the description below.
Red Hat Identity Management is a centralized authentication, identity management and authorization
solution for both traditional and cloud based enterprise environments. It integrates components of
the Red Hat D irectory Server, MIT Kerberos, Red Hat Certificate System, NTP and D NS. It provides
web browser and command-line interfaces. Its administration tools allow an administrator to quickly
install, set up, and administer a group of domain controllers to meet the authentication and identity
management requirements of large scale Linux and UNIX deployments.
Secu rit y Fix
C VE- 2011- 36 36
A Cross-Site Request Forgery (CSRF) flaw was found in Red Hat Identity Management. If a
remote attacker could trick a user, who was logged into the management web interface, into
visiting a specially-crafted URL, the attacker could perform Red Hat Identity Management
configuration changes with the privileges of the logged in user.
D ue to the changes required to fix CVE-2011-3636, client tools will need to be updated for
client systems to communicate with updated Red Hat Identity Management servers. New
client systems will need to have the updated ipa-client package installed to be enrolled.
Already enrolled client systems will need to have the updated certmonger package installed
to be able to renew their system certificate. Note that system certificates are valid for two
years by default.
Updated ipa-client and certmonger packages for Red Hat Enterprise Linux 6 were released as
part of Red Hat Enterprise Linux 6.2. Future updates will provide updated packages for Red
B u g Fixes
B Z #705800
When installation of Identity Management clients failed, the debugging information shown
in the /var/l o g /i pacl i ent-i nstal l . l o g file did not provide enough information to
determine the cause of the failure. With this update, the /var/l o g /i pacl i enti nstal l . l o g file contains improved debugging messages that make it easier to debug a
possible installation failure.
B Z #70579 4
14 6
The Identity Management services were not started after a reboot when the server was
installed with the i pa-repl i ca-i nstal l command. With this update, after an
installation of a replica with i pa-repl i ca-i nstal l , the i pa service is enabled using
the ch kco n f ig utility so that the Identity Management services are started and available
after a reboot.
B Z #704 012
Prior to this update, installing an Identity Management replica in a new IP subnet with an
Identity Management-controlled D NS server failed. With this update, such operation no
longer fails, although, the bi nd service needs to be restarted when a new reverse zone is
added over LD AP.
B Z #70386 9
Previously, Identity Management replication installations were missing configuration for
managed entries. As a consequence, user-private groups and netgroups were not created
for host groups if they were created on the replica. This update adds the missing
configuration, and user and host group creation work as expected.
B Z #7236 6 2
Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a
security issue. As a result, applications that rely on delegation did not work properly. This
update utilizes a new constructor argument in the xmlrpc-c client API to set the new
C UR LO P T _G SSAP I_D ELEG AT IO N curl option. This option enables the credential
delegation, thus fixing this bug.
B Z #6 9 84 21
An Identity Management replica would occasionally fail to install while trying to initialize
replication with the remote Identity Management server. With this update, the memberO f
attribute is rebuilt during installation, thus fixing this issue. Note that the 389 D irectory
Server (389 - d s) may crash if it is restarted while this task is running. Wait for this task to
complete before requesting a restart.
B Z #74 3253
For NIS compatibility reasons, when a host group is created, a net group with the same
name is created as well. However, when a host group is created, it was not checked whether
there was a net group with the same name already existent. As a consequence, the host
group was created, but the net group could not be created and the user was not notified of
this. With this update, when a new host group is created, the Identity Management server
checks whether a net group with the specified name exists already. If there is such a group,
the operation is denied.
B Z #74 39 36
Prior to this update, the Identity Management web user interface loaded the entire Identity
Management API name space when it was being started. As a result, JSON requests
returned large amount of data, which caused certain browsers to report the scri pt stack
space q uo ta i s exhausted message and prevent a user from accessing the Web UI.
This update split the Web UI initialization to several smaller calls. Browsers no longer report
errors and the Web UI works as expected.
B Z #719 6 56
Running the i pa-ni s-manag e command disabled the NIS listener and also removed the
netgroup compatibility suffix. If NIS was disabled, the automatic creation of net groups was
14 7
disabled as well. Thus, creating a host group would fail to automatically create a net group.
With this update, disabling NIS has no effect on the automatic creation of net groups when
host groups are created.
B Z #7254 33
Adding an indirect automount map to a mount point that already exists returned an error,
but created the map anyway. As a result, the map could not be removed with Identity
Management tools. With this update, the addition of an indirect map requires the creation of
a key to store the mount point. If the addition of a map fails because the key already exists,
the map is removed.
B Z #74 4 26 4
Prior to this update, the Web UI Password Policy interface was missing some of the
password policy fields that are present in the command line version (specifically, Max
failures, Failure reset interval, Lockout duration, and Priority). As a result, users could not
set these parameters via the Web UI and had to use the CLI version. This update adds all
the missing Password Policy fields to the Web UI.
B Z #6 9 6 19 3
When an Identity Management server A was using a KD C on Identity Management server B,
and server B does down, on server A it looked as if server B was still operational. This
caused clients to fail to enroll. With this update, the underlying source code has been
modified to address this issue, and client enrollment works as expected.
B Z #74 2327
Permission objects related to D NS were improperly formatted and added before the relevant
D NS privileges (that they were members of) were added to LD AP. D NS related permissions
contain just limited information. Additionally, the privilege objects, which they were members
of, lacked membero f LD AP attributes pointing back to the permissions. Thus, a user could
get an incorrect list of permissions that were members of a D NS related privilege. With this
update, permission objects formatting has been fixed and the missing membero f LD AP
attributes in the relevant D NS privileges are properly added. Users now get a valid list of
permissions (containing all the needed information) when displaying a D NS related
privilege.
B Z #6 9 1531
A certificate not signed by the Identity Management Certificate Authority (CA) imported into
Identity Management could not be managed by Identity Management. Performing any
operations on a service or a host that would cause Identity Management to attempt to
revoke a certificate would fail (for example, disabling or deleting a host or service). With this
update, certificates issued by other CAs cannot be imported into an Identity Management
host or a service record. D isabling and deleting hosts and services works as expected and
correctly revokes certificates.
B Z #74 1808
An LD AP object migrated using the mi g rate-d s command could contain a multi-valued
RD N attribute. However, the mi g rate-d s process picked only the first value of the RD N
attribute and did not respect the value that was present in the D N in the migrated LD AP
object. With this update, the value that is used in the original LD AP object D N is used,
rather than the first value of a multi-valued RD N. As a result, LD AP objects with a multivalued RD N attribute are migrated without any errors.
B Z #74 16 77
14 8
When the i pa-cl i ent-i nstal l was run with the --passwo rd option containing a bulk
password for client enrollment, the password could be printed to Identity Management client
install log in a plain-text format. This behavior has been fixed, and passwords are no
longer logged in the install log file.
B Z #726 9 4 3
By default, the Identity Management Web UI adds a redirect from the web root to /i pa/ui .
This makes it look like no other web resources may be used. With this update, during the
installation process, the --no -ui -red i rect option can be used to disable the default
Rewrite rule. This may also be commented out manually in the
/etc/httpd /co nf. d /i pa-rewri te. co nf. As a result, the web server root can point to
any specified place. However, /i pa must remain available to Identity Management.
B Z #74 59 57
The Identity Management Web UI did not take into account when a non-admin user was a
member of an administrative role, which has more privileges than just performing selfservice actions. With this update, non-admin users with an administrative role are shown
the full administrative tabset as expected.
B Z #74 6 056
Identity Management Web UI did not allow addition of an external user (that is, user that is
not managed by Identity Management) as a RunAs user for a Sudo rule. An external RunAs
user could be added to a Sudo rule via the command line only. With this update, adding an
external user as a RunAs user is possible in the Web UI.
B Z #726 123
The auto mo untkey-d el command includes a --co nti nue option which has no function
and does not affect anything. With this update, the --co nti nue has been hidden, and will
be deprecated in the next major release.
B Z #7236 22
Prior to this update, the i pa-g etkeytab command failed with Bind errors. If 32-bit
packages were used on a 64-bit system, the 32-bit cyrus-sasl-gssapi package was required.
This update adds architecture-specific R eq ui res to the RPM spec file, and retrieving of
keytabs no longer fails.
B Z #707009
Installing an Identity Management server signed by an external CA fails with the following
error:
cannot concatenate 'str' and 'NoneType' objects
This was because the required information was not being passed so the installation failed
when constructing the Kerberos principal name for the D ogtag 389-ds instance. This
information is now provided by the installer, thus fixing this issue.
B Z #727282
In the Identity Management Web GUI, attempting to view a certificate of a host returned the
unknown command u'show' error message. Users could only use the command-line to view
host certificates. The certificate buttons including Get, View, Revoke, and Restore for hosts
and services have been fixed to use the correct entity name, and viewing of certificates in
the Web UI works as expected.
14 9
B Z #726 526
The number of ports that needed to be open between Identity Management replicas was too
high. Managing such a number of ports required planning because new rules were needed
for each replication agreement. With this update, D ogtag is now proxied via the existing
Apache web server on ports 80 and 443, which already need to be open. Ports 944[3-6] no
longer need to be open in the firewall.
B Z #7279 21
It is possible to add a host group as a member of a net group; however, that relationship
did not appear when viewing a host group. With this update, net group membership is
displayed when viewing a host group.
B Z #726 715
When importing automaster maps, the auto . d i rect mount mounted on /- was ignored
because it was considered a duplicate. Consequently, direct maps needed to be added
manually. This update adds an exception for the auto.direct map when importing so that its
keys can be added, and importing direct maps works as expected.
B Z #728118
The output of adding or showing a sudo rule with a runAsGroup included a reference to a
i pasud o runasg ro up_g ro up attribute, making the output unclear. A proper label was
added for runAsGroup and the sudo option, which makes the output more understandable.
B Z #7286 14
Using the i pa-repl i ca-i nstal l did not ensure that the d bus service was running.
Consequently, tracking certificates with cert mo n g er returned an error and the installation
failed. With this update, prior to starting cert mo n g er, it is checked whether the dbusdaemon is running.
B Z #7334 36
The Identity Management server installer and i pactl use two different methods to
determine whether Identity Management is configured. If the Identity Management
uninstallation was not complete, i pactl may have claimed that the Identity Management
server is not configured while the Identity Management server installer refused to continue
because Identity Management was configured. With this update, a common function that
checks whether the Identity Management server is configured has been added. D uring the
uninstallation process of the Identity Management server, checks are run that report leftover files so that users can manually resolve these.
B Z #714 238
Prior to this update, the error message returned when setting an integer value that was too
large on 64-bit systems was confusing. This update limits the integer values to 2147483647
on all platforms, making error messages consistent on 32 and 64-bit systems.
B Z #729 24 5
Adding an option to a sudo rule with the sud uro l e-ad d -o pti o n command did not
display a summary after the option was added. With this update, a summary is printed in
the form of Ad d ed o pti o n ' x' to Sud o R ul e ' y' .
B Z #7304 36
Under rare circumstances, certain operations may have caused the 389 D irectory Server
150
(389-ds) to crash or not function properly. This was because NSPR (Netscape Portable
Runtime) read/write locks used by 389-ds were not re-entrant. These locks were replaced
with POSIX thread read-write locks in the Identity Management 389-ds plugins, and the
aforementioned crashes no longer occur.
B Z #729 24 6
Removing an option from a sudo rule with the sud uro l e-remo ve-o pti o n command did
not display a summary after the option was removed. With this update, a summary is printed
in the form of R emo ved o pti o n ' x' to Sud o R ul e ' y' .
B Z #729 377
Installing an Identity Management server using the --no -ho st-d ns option without a D NS
resolvable host name caused the installation to fail with D NS errors. This update moves the
no-host-dns test so that it is tested before any D NS lookups occur, and installations with
the --no -ho st-d ns option do not perform any D NS validation.
B Z #7324 6 8
When Identity Management client A/PTR D NS records did not match, the i pa-g etkeytab
and i pa-jo i n commands did not operate properly, and the client could not be enrolled to
the Identity Management server. As a result, client installations failed every time. With this
update, matching client A/PTR D NS records are no longer a requirement for i pag etkeytab and i pa-jo i n, and client installations succeed even when the
aforementioned records do not match.
B Z #730713
Selecting a check box for users, groups, hosts, or host groups when deleting a list of
objects in an HBAC rule in the Identity Management Web UI left the check box checked even
when the operation was complete and the entry was re-edited. With this update, the
selection is cleared when the page is refreshed.
B Z #730751
When editing an HBAC rule in the Identity Management Web UI, the delete button was
enabled even when no selection was made. This update disables the delete button when
nothing is selected.
B Z #729 089
Removing an external host value by checking the upd ate d ns check box rendered the
action successful even though the host was not removed. With this update, the host is
removed successfully in the aforementioned scenario.
B Z #7289 50
If an 389-ds certificate expired, the Identity Management services did not start .This update
adds new options for 389-ds which allow to control how 389-ds reacts to an expired
certificate. The default setting is to warn the user and start the services.
B Z #729 6 6 5
Checking/unchecking the Hi d e al read y enro l l ed check box when adding/removing
members from a group had no effect. This update removes this check box.
B Z #726 725
151
Passing an empty map name to the auto mo untmap or auto mo untkey command returned
the following error:
Map:
ipa: ERROR: 'automountmapautomountmapname' is required
This was because Identity Management tries to hide the LD AP implementation and often
provides a different value for options and errors than is actually used. It may also use
contrived internal names for uniqueness. With this update, Identity Management returns the
correct values depending on the context so that a more useful error message is returned. As
a result, in the aforementioned scenario, the correct value, automountmap, is now returned.
B Z #714 6 00
The default SSSD configuration did not store passwords if offline. Consequently, when a
machine was disconnected from the network, SSSD was unable to authenticate any users.
With this update, the krb5_store_password_if_offline parameter is set to T rue in
the /etc/sssd /sssd . co nf by default. Note that the --no -krb5-o ffl i ne-passwo rd s
option of the i pa-cl i ent-i nstal l command may be used if storing passwords for
offline use is not desired.
B Z #726 722
Passing an empty location to the auto mo untmap or auto mo untkey command returned
Location:
ipa: ERROR: 'automountlocationcn' is required
This was because Identity Management tries to hide the LD AP implementation and often
provides a different value for options and errors than is actually used. It may also use
contrived internal names for uniqueness. With this update, Identity Management returns the
correct values depending on the context so that a more useful error message is returned. As
a result, in the aforementioned scenario, the correct value, automountlocation, is now
returned.
B Z #714 9 19
Prior to this update, the i pa-cl i ent-i nstal l command did not configure a hostname
in the /etc/sysco nfi g /netwo rk file. Consequently, when the --ho stname value was
passed to the client installer, that value was used during enrollment. However, the system
hostname did not match the name of the machine. With this update, the
/etc/sysco nfi g /netwo rk file is updated upon installation and /bi n/ho stname is
executed with the hostname of the machine. The name used in the enrollment process now
matches the hostname of the machine.
B Z #715112
Renaming users (via i pa user-mo d --setattr) may have returned a Not Found error.
Renaming the actual users was successful, but their user-private groups were not updated.
With this update, the 389 -d s plugin has been modified so that the i pa_mo d rd n plugin
runs last. This plugin manages renaming of the Kerberos principal name of the user.
Renaming a user now also renames the user-private group.
B Z #736 6 84
If an Identity Management client was installed and there was a too large of a time difference
between the client and the Identity Management server, a KD C running on the Identity
152
Management server may have refused any Kerberos authentication request from the client.
Consequently, the installation process could fail as it could not get a valid Kerberos ticket.
With this update, time is always synchronized with the NTP servers configured for the client
domain or the Identity Management server itself. If the time synchronization succeeds, the
time on the client machine is fixed and Kerberos authentication and the installation itself
successfully continue.
B Z #73704 8
The i pa-cl i ent-i nstal l command always ran /usr/sbi n/authco nfi g to add the
pam_krb5.so entry to PAM configuration files in the /etc/pam. d / directory. However,
this entry was not needed when an Identity Management client is installed with SSSD
support, which is the default behavior. As a result, an unnecessary record was added to the
PAM configuration. With this update, /usr/sbi n/authco nfi g is not run if the Identity
Management client is configured with SSSD support.
B Z #717724
The certificate subject base was editable post-install which caused the change to not be
propagated to the CA. With this update, the certificate subject base is read-only and the
value cannot be modified post installation.
B Z #737581
Prior to this update, a new host could be added to an Identity Management server without
proper validation. For example, a host with an invalid hostname or a hostname containing
a whitespace character could be created. With this update, proper validation of hostnames
for any host has been added, and only hosts with valid hostnames can now be added to
an Identity Management server.
B Z #7179 6 5
The Identity Management configuration stored a value for Password Expiration Notification but
did not display it by default (when using the i pa co nfi g -sho w command). This update
adds Password Expiration Notification to the default list of attributes to shown by default when
running the i pa co nfi g -sho w command.
B Z #74 56 9 8
Identity Management installation tools accepted invalid IP addresses in their --fo rward er
or --i p-ad d ress options. Consequently, installation could eventually fail, for example
because of an invalid name server configuration. With this update, all IP addresses passed
to the i pa-server-i nstal l , i pa-repl i ca-i nstal l and i pa-d ns-i nstal l
commands are checked for validity.
B Z #739 04 0
When the i pa-cl i ent-i nstal l command detected that the client hostname was not
resolvable, it tried to add a D NS record to the Identity Management server. However, it did
not expect that the client could have been using an IPv6 machine, and the installation
process failed. This update adds a check to make sure that the process for adding a D NS
record to the Identity Management server works for both IPv4 and IPv6, and the Identity
Management client installation works as expected.
B Z #739 6 4 0
153
When a new service was added via the Ad d New Servi ce Web UI dialog box, the Web UI
did not check if the service name field was filled in. When the dialog box was confirmed with
the service name field empty, a new service named und efi ned was created. With this
update, the service name field is required to be filled in.
B Z #6 9 34 9 6
Prior to this update, the ip a- n is- man ag e tool crashed with a python exception when
attempting to use an LD API connection only. With this update, ip a- n is- man ag e correctly
falls back to GSSAPI or a password-based authentication if the LD API connection fails.
B Z #723233
An attempt to create a rule with an invalid type returned an error which informed users that
only al l o w and d eny are accepted as types:
ipa: ERROR: invalid 'type': must be one of (u'allow', u'deny')
However, rules of the type d eny are not allowed. With this update, the d eny type was
deprecated because SSSD determined that properly enforcing the d eny type was extremely
difficult and dependent on how other libraries present host information.
B Z #74 36 80
The i pa-server-i nstal l command did not update the system hostname when it was
installed with a custom hostname. It passed the hostname to services using their own
configurations. However, some services failed to function properly as they did not expect an
Identity Management server to use a custom hostname and not a system hostname. With
this update, the system hostname is updated to the value passed via i pa-serveri nstal l 's --ho stname option. The system hostname is also set in the system network
configuration in /etc/sysco nfi g /netwo rk so that it is properly set after a system
reboot. Refer to Section 2.8, “ Authentication” for a known limitation regarding Identity
Management server installations with custom hostnames.
B Z #707001
When installing an Identity Management server and using an external CA to sign it, the
specified command line options were not properly validated. In such a case, the resulting
CSR contained only the string nul l . This update adds better detection of whether the CA
389-ds instance has been installed to identify the current stage of the installation, thus
fixing this issue.
B Z #723778
When deleting an automount location, the command appeared to be successful, but there
was no feedback provided on the output. With this update, a summary of all automount
commands is shown.
B Z #723781
When adding an automount location, the command appeared to be successful, but there
was no feedback provided on the output. With this update, a summary of all automount
commands is shown.
B Z #707133
Prior to this update, the i pa-ni s-manag e command did not return an exit status of 0
when successful. With this update, the underlying source code has been modified to
address this issue, and correct exit codes are returned.
154
B Z #7379 9 7
When a new user was added, its login was normalized and lower-cased. However, its
principal was not normalized and contained the original login. Consequently, if a new user
with an uppercase letter in its login was added, a disconnect between a user login and its
principal was created. The Identity Management server then refused to create a password
for that user. This update normalizes both the new user long and its principal, thus fixing
this issue.
B Z #7379 9 4
Certain Identity Management commands require a file to be passed. For example, a certrequest command requires a CSR file. If the command contains a validation rule for the
required file, it needs to be executed before it can be processed. However, if the file was
passed in the CLI command interactively (and not as a command option), the validation
rule was applied to the file path and not the file contents. As a result, a validation rule could
fail and the command then returned an error until the file was passed as a command
option. With this update, a validation rule is applied to file contents only, and users can
pass the required file on the command line both interactively and via a command option.
B Z #726 4 54
Previously, there was no indicator in a host entry that a one-time password was set. This
update adds a new output attribute for host entries, has_passwo rd , that is set when the
host has a password set. If has_passwo rd is True, a password has been set on the host.
However, there is no way to see what that password is once it has been set.
B Z #716 287
When a host is enrolled, the user that does the enrollment is stored in the attribute
enrolledBy on the host. Prior to this update, an administrator was able to change this
value by using the i pa ho st-mo d --setattr. This action should not be allowed. This
update fixes this behavior and write permissions have been removed from the enrolledBy
attribute.
B Z #714 9 24
When configuring an Identity Management client to use SSSD , if an error occurred while
looking up users, the following error message was displayed:
nss_ldap is not able to use DNS discovery
This update modifies this error message to be more specific.
B Z #736 6 17
The i pa-cl i ent-i nstal l command did not configure /u sr/sb in /n t p d at e to use
correct NTP servers in the /etc/ntp/step-ti ckers. Additionally, the i pa-cl i enti nstal l did not store the state of the ntpd service before installation. Consequently, when
an Identity Management client is installed, n t p d at e may have used incorrect servers to
synchronize with. When the Identity Management client was uninstalled, the ntpd may have
been set to an incorrect state. With this update i pa-cl i ent-i nstal l configures
n t p d at e to use the IPA NTP server for synchronization. When an IPA client is uninstalled,
both n t p d at e configuration and ntpd status are restored.
B Z #714 59 7
155
The IPA-generated /etc/krb5. co nf file contained values which were not present in the
standard configuration file (specifically: ticket_lifetime, renew_lifetime, and
forwardable in the [l i bd efaul ts] section, and the entire [appd efaul ts] section).
This update removes these unnecessary values and sections.
B Z #6 80504
D NS forward and reverse entries are stored discretely. Removing one does not remove the
other unless specifically requested. Previously, it was unclear how to remove the required
entries. This update adds a new interactive mode (via i pa d nsreco rd -d el ) to the
command line application which guides the user through the process of removing the
required entries.
B Z #72576 3
Summary data displayed when adding an automount key has been modified to include the
map and the key.
B Z #7176 25
Updating values in the configuration tab in the Identity Management Web UI returned an
error. This was because the Web UI was searching for a primary key configuration. With this
update, it no longer searches for the key, and the configuration tab works as expected.
B Z #717020
When activating or deactivating a user in the Identity Management Web UI, the user is
updated without having to click the Upd ate button. With this update, a message box is
displayed indicating that the change is going into effect immediately.
B Z #716 4 32
If 389-ds debugging was enabled, superfluous content appeared in the i pactl output.
With this update, the amount of information displayed in the i pactl output has been
reduced. The previously reported data is not available in the 389-ds error log only.
B Z #714 79 9
The i pa-cl i ent-i nstal l did not successfully run on a client when a one-time
password was set on a host in the Identity Management Web UI. Consequently, clients
could not be enrolled using a one-time password if it was set in the Web UI. With this
update, the krbLastPwdChange value is no longer set in the host entry when setting a
host one-time password, thus fixing this issue.
B Z #71379 8
Prior to this update, D NS lookups were not being forwarded if they originated in a subnet
that was not managed by Identity Management. With this update, the Identity Management
D NS is configured to allow recursion by default, thus fixing this issue.
B Z #7134 81
When removing a runAsGroup value from a sudo rule, the command appeared to be
successful, but the group information data included in the output was not updated and did
not show the proper membership. This update fixes this bug, and data is refreshed before
being returned.
B Z #713380
When removing a runasuser (via i pa sud o rul e-remo ve-runasuser) and,
156
consequently, defining a group, the RunAs Group value was not included in the output. This
was because the label for the returned data was mislabeled and was not appearing in the
output. With this update, the underlying source code has been modified to address this
issue, and adding a group to runasuser is properly displayed.
B Z #71306 9
Comma-separated values were not handled properly when the --external user option
was specified for the sud o rul e-mo d command. As a result, erroneous values were stored
in the entry. With this update, the --external user option was removed from the
sud o rul e-mo d command. It is advisable to use the sud o rul e-ad d -user command
instead.
B Z #731804
Upgrading Identity Management from version 2.0.0-23 caused the 389-ds configuration to
be modified to not accept requests. With this update, the upgrade process is more robust
and always restores the 389-ds configuration. As a result, upgrading Identity Management
no longer leaves the system in an inconsistent state.
B Z #731805
D ifferent error types could cause various error messages to appear in the Identity
Management Web UI. This update makes all error messages in the Web UI consistent.
B Z #732084
D isabling SELinux (SELINUX= d i sabl ed in /etc/sel i nux/co nfi g ) and attempting to
restart the i pa service caused the i pa service to fail to start. This update ignores the value
returned by resto reco n, and the i pa service now starts as expected whether SELinux is
enabled or disabled.
B Z #712889
A request to set a certificate revocation reason to 7 would cause the request to fail and the
certificate was not revoked. Reason 7 is not a valid revocation reason according to RFC
5280. With this update, an error message is returned to the user, informing of the fact that,
when used, reason 7 is not a valid revocation reason.
B Z #726 028
Previously, renaming an automount key did not work properly because D N of the key was
being updated but not the value within the entry. Renaming an automount key now updates
the D N and the stored key value, thus fixing this issue.
B Z #711786
When setting runAsG ro up in a sudo role as a user, the name of that user is returned as the
name of a group that may also be used as the runAsG ro up. As a result, the sudo rule was
erroneous and referred to a non-existent group. This was because the search filter for
determining the CN value was too generic. This update adds a test which assures user
names no longer appear as runAsG ro up values.
B Z #71176 1
Prior to this update, removing a sudo rule option failed on the server because the code
which handled sudo rule option removal was not robust enough and if the input did not
exactly match the stored value, it failed. With this update, removing sudo rule options works
as expected.
157
B Z #7116 71, B Z #7116 6 7
Previously, comma-separated values were not handled properly when using sud o rul emo d 's --runasexternal user or --runasexternal g ro up options. With this update, the
aforementioned options have been deprecated. It is advisable to use the sud o rul e-ad d runasuser or sud o rul e-runasg ro up commands instead.
B Z #7106 01, B Z #71059 8, B Z #71059 2
Prior to this update, leading and trailing spaces were allowed in some parameter values.
This update adds a validator that disallows the use of leading and trailing spaces.
B Z #710530
Passing an empty password when prompted to by the i pa-ni s-manag e command did not
display an error and did not exit the command. With this update, passing an empty
password causes an error to appear (No passwo rd suppl i ed ), and the command is
exited with the status code 1.
B Z #7104 9 4
The i pa-ni s-manag e command has an option, -y, to specify the D irectory Manager
password in a file. This option caused the command to crash if the file did not exist. An
exception handler around the password reader has been added, and a proper error
message is displayed when the supplied password file is non-existent or is not readable.
B Z #710253
When adding a runasuser (via i pa sud o rul e-ad d -runasuser) and, consequently,
defining a group, the RunAs Group value was not included in the output. This was because
the label for the returned data was mislabeled and was not appearing in the output. With
this update, the underlying source code has been modified to address this issue, and
adding a group to runasuser is properly displayed.
B Z #7386 9 3
A user with a valid Kerberos ticket can change an IPA password with the i pa passwd
command. Prior to this update, the command did not require entering the old password.
Consequently, anyone with access to that user's shell could change his Identity
Management password without knowing the old password. With this update, the old
password is always required in order to change a user's password. The only exception is
the administrator user.
B Z #71024 5
A removed sudorule option appeared in the output when that option was removed. With this
update, option values are refreshed before being returned, and the output of the delete
command is consistent with the actual data.
B Z #71024 0
Adding a duplicate sudorule option did not generate any errors messages. With this
update, rather than ignoring duplicate values, an error is returned when a duplicate
sudorule option is added.
B Z #739 19 5
When attempting to unprovision a host keytab in the Identity Management Web UI
Unprovisioning Host dialog, there was no option to cancel the process. This update adds
the C ancel button to the Unprovisioning Host dialog.
158
B Z #709 6 6 5, B Z #709 6 4 5
When removing external hosts from a sudorule, the output shown after the command
completed contained the hosts that were removed. With this update, external host
information is refreshed before it is returned to the client.
B Z #707312
Previously, new D NS zones were not available until the bi nd service was restarted. With
this update, an updated bind-dyndb-ldap package added a zone refresh option that Identity
Management uses to refresh the zone list in D NS. The default setting is 30 seconds. As a
result, new D NS zones are not immediately available, but the bi nd service does not have
to be restarted anymore.
B Z #74 0320
When a new group was being created via the Identity Management Web UI, unchecking the
Posix check box was not taken into account and a posix group was created every time.
With this update, the underlying source code has been modified to address this issue, and
creating non-posix groups works as expected.
B Z #707229
The --no -ho st-d ns option of the i pa-server-i nstal l command still checked that the
forward and reverse D NS entries existed and matched. Installation of an Identity
Management server using a host name that could not be resolved would then fail. This
update removes any D NS validation when the --no -ho st-d ns option is used.
B Z #705804
The subject name of a CA agent certificate used by Identity Management was not very
specific. This update changes the subject name from R A Subsystem to IP A R A.
B Z #7026 85
If a remote LD AP server that was being used while migrating to Identity Management
contained an LD AP search reference, the migration failed. With this update, the migration
process logs any search references and skips them, assuring a successful migration.
B Z #74 0885
For an HBAC rule, you can choose to add a host in the Accessi ng section of the Identity
Management Web UI. Clicking on Enro l l without selecting a host did not return an error
indicating that a host was not selected. With this update, the Enro l l button is disabled
until a host is chosen.
B Z #74 089 1
For an HBAC rule, you can choose to delete a host in the Accessi ng section of the Identity
Management Web UI. Clicking on Enro l l without selecting a host did not return an error
indicating that a host was not selected. With this update, the Enro l l button is disabled
until a host is chosen.
B Z #74 1050
The i pa-cl i ent-i nstal l command always checked the specified server whether it was
a valid Identity Management server. However, if the Identity Management server was
configured to restrict access for anonymous binds (via the nssl apd -al l o wano nymo us-access option), the check failed and the installation processes returned an
159
error and ended. With this update, when the i pa-cl i ent-i nstal l command detects that
the chosen server does not allow anonymous binds, it skips server verification, reports a
warning, and lets the user join the Identity Management server.
B Z #701325
The X509v3 certificate shown in a host or service record in the Identity Management Web UI
was not properly formatted. This update converts the certificate from the base64 format to
the PEM format.
B Z #6 9 8219
The Apache service communicates with 389-ds early on during the start-up (to attempt to
retrieve the LD AP schema). Previously, if that communication failed, the Apache service
would have to be restarted. This race condition could cause a restarted Identity
Management server become unavailable. With this update, the communication between
Apache and 389-ds is retried when it fails, thus fixing this issue.
B Z #6 9 7878
The Identity Management server installation could fail with an error informing of the fact that
the LD AP server could not be reached. This was because the installation process did not
wait for the 389-ds server to fully start after a restart. With this update, the installation
process waits for the 389-ds server to be fully started.
B Z #74 2875
When an Identity Management server was installed, it did not properly check the system's
static lookup table (/etc/ho sts) for records which could interfere with its IP address or
hostname, and cause forward or reverse D NS queries to be resolved to different values
than expected. The installation process now always checks for any conflicting records in
the /etc/ho sts file.
B Z #6 9 6 282
A certificate subject base with an incorrect format provided by the user could cause an
installation process to fail in the CA step with a non-descriptive error. With this update, the
subject base of a certificate is validated, and the installation no longer fails.
B Z #6 9 6 26 8
Providing an IP address during the Identity Management server installation via the --i pad d ress option caused the installed server to not function properly. With this update, it is
verified whether the provided IP address is a configured interface on the system. Providing
an IP address that is not associated with a local network interface will return an error
message.
B Z #74 3788
The IPA Web UI was missing a title on several pages. This update adds the missing titles.
B Z #6 9 3771
Including non-ASCII characters in the zonemgr email address could cause an installation
to fail with an unclear message. This update adds a validator which requires the zonemgr
to contain ASCII characters only.
B Z #6 819 78
Uninstalling an Identity Management client on a machine which has the Identity
160
Management server installed on it as well caused the server to break. The client uninstaller
now detects the installation state of an installed server. An attempt to uninstall a client from
a machine which also contains the server will result in an error message. The client can be
uninstalled when the server is uninstalled.
B Z #74 4 024
Prior to this update, the i pa-cl i ent-i nstal l command did not return an exit status of
0 when successful. With this update, the underlying source code has been modified to
address this issue, and correct exit codes are returned.
B Z #74 4 074
Prior to this update, the Identity Management Web UI allowed a user to delete a global
Password Policy. If a global Password Policy is deleted, any attempt to add a user with a
Kerberos password fails. Additionally, neither the CLI nor the Web UI version of Identity
Management could be used to add this policy back. With this update, deleting the global
Password Policy is denied.
B Z #6 9 29 55
Attempting to set the manager value of a user resulted in the following error message:
value #0 invalid per syntax: Invalid syntax.
This was because the value required a full LD AP D N syntax. With this update, when storing
or retrieving the manager value, the value is automatically translated between a login name
and a D N. Setting the manager value now requires a login name only.
B Z #74 4 4 22
D uring the installation of a Identity Management server, the i pa-server-i nstal l called
kd b 5_ld ap _u t il to populate the directory with realm information. In the process of doing
so, it passes the Kerberos master database password and the Kerberos directory password
as parameters. As a result, a user could list all running processes during the IPA server
installation and discover the aforementioned passwords. With this update,
kd b 5_ld ap _u t il's interactive mode is used to pass the passwords instead of passing them
via CLI parameters.
B Z #6 9 29 50
When setting up D NS during an interactive installation, a reverse zone was always created
regardless of the --no -reverse option. This update fixes this behavior, and a reverse
zone is not created unless specified.
B Z #74 539 2
When the i pa-cl i ent-i nstal l command attempted to auto-discover the Identity
Management server in its domain, it did not use any timeout when a server was found and
was being checked. If the found server was unresponsive during the auto-discovery, the
i pa-cl i ent-i nstal l command got stuck and did not continue. This update adds a 30
second timeout to the i pa-cl i ent-i nstal l auto-discovery server check.
B Z #6 9 214 4
Using the --no -sssd option of the i pa-cl i ent-i nstal l command did not properly
back up and restore the existing /etc/sssd /sssd . co nf file. With this update, the
underlying source code has been modified to address this issue, and the --no -sssd
option works as expected.
161
B Z #6 9 04 73
Using the --ho stname option to set a value outside an Identity Management-managed
D NS domain did not return an error and did not add the host to D NS. The D NS updating
utility, n su p d at e, was modified to properly return an error when an update fails.
B Z #6 9 0185
Uninstalling an Identity Management client did not restore certain files when that client was
previously installed with the --fo rce option. This was because the --fo rce option was
able to re-install over an already installed system, causing the original saved files to be
lost. This behavior is no longer permitted; the client must be first uninstalled and only then it
can be re-installed.
B Z #6 89 810
Adding a duplicate user resulted in a generic error message which was not specific enough
to discover the reason of the error. With this update, the object type and the primary key are
returned in the error message, making the error message more understandable.
B Z #6 89 023
When adding a new password policy, the Identity Management Web UI did not prompt for a
required field, pri o ri ty. This update requires the pri o ri ty field to be filled in.
B Z #6 889 25
The process of setting up an Identity Management replica became unresponsive if the
master could not be reached. This update adds a new utility, ip a- rep lica- co n n ch eck,
which verifies that the replica and the master can communicate in both directions.
B Z #6 8826 6
If the domain did not match the realm, enrolling a client could fail with the following error:
Cannot resolve network address for KDC
This was because a temporary /etc/krb5. co nf file was used during enrollment to
contact the Identity Management KD C. The process was always relying on D NS autodiscovery to find the correct KD C and not the values provided by the end-user. With this
update, enrollment works even if the domain does not match the realm.
B Z #6 836 4 1
If a one-time password was set on a host, an administrator was unable to enroll it and the
following error message would be returned:
No permission to join this host to the IPA domain.
A delegated administrator did not have permissions to write the Kerberos principal name.
This update adds permissions for the delegated administrator to be able to add a one-time
password, but not change or remove an existing one.
B Z #6 819 79
The --o n-master lacked proper documentation. This update makes the option invisible
and removes it from documentation entirely.
B Z #74 74 4 3
162
Realm-D omain mapping was not specified in a client's Kerberos configuration when the
client was outside of an Identity Management domain. In such a case, Certmonger would
fail to issue a host certificate. Realm-D omain mapping is now properly configured when the
client is outside of the Identity Management domain.
B Z #74 8754
Arguments for the Kerberos KD C, contained in the /etc/sysco nfi g /krb5kd c file, were
not formatted properly on multi-CPU systems. As a consequence, the KD C could not use the
intended number of CPUs and reported an error when it was (re)started. With this update,
the aforementioned arguments are now properly formatted, fixing this issue.
B Z #74 9 352
Prior to this update, the ypcat command's netgroup output did not show users in netgroup
triples. Consequently, NIS-based authorization did not work as expected, and access was
denied when it should have been allowed. This was caused by a syntax error in the triple
rule. This update fixes this error, and users are now properly included in the netgroup
triples.
B Z #736 170
The ipa package has been upgraded to upstream version 2.1.3 which provides a number of
bug fixes and enhancements over the previous version.
Users are advised to upgrade to these updated ipa packages, which resolve these issues.
4 .95. ipa-pki-t heme
4 .95.1. RHBA-2011:1754 — ipa-pki-t heme bug fix updat e
Updated ipa-pki-theme packages which fix this bug are now available for Red Hat Enterprise Linux 6.
The ipa-pki-theme packages provide Red Hat Identity Management theme components for PKI
packages.
Certificate System (CS) manages enterprise Public Key Infrastructure (PKI) deployments and requires
a theme for the specific type of PKI deployment with which it is used. This package makes a Red Hat
Identity Management theme available for CS, and therefore makes it possible for users of Red Hat
Enterprise Linux 6 to use CS as a part of Red Hat Identity Management deployments.
Bug Fix
B Z #7129 31
IPA (Identity, Policy and Audit) is an identity and access management system. Prior to this
update, Certificate System (CS), which is implemented in pki-core, required multiple ports to
be open in a firewall for IPA to work. The number of open ports required has been reduced,
and support for a proxy using Apache JServ Protocol (AJP) ports has been added, by
enhancements made in pki-core. With this update, ipa-pki-theme has been changed to
make use of the updates to CS, including adding the proxy-ipa.conf configuration file, and
fixing broken links in certain user interface files. As a result, it is now possible for ipa-pkitheme to support running CS behind a proxy Apache server.
163
Important
This theme is mutually exclusive with the PKI themes for other types of PKI deployments, such
as dogtag-pki-theme for D ogtag Certificate System deployments and redhat-pki-theme for Red
Hat Certificate System deployments. (BZ #643543)
All users of ipa-pki-theme are advised to upgrade to these updated packages, which fixes this bug.
4 .96. ipmit ool
4 .96.1. RHSA-2011:1814 — Moderat e: ipmit ool securit y updat e
An updated ipmitool package that fixes one security issue is now available for Red Hat Enterprise
Linux 6.
The ipmitool package contains a command line utility for interfacing with devices that support the
Intelligent Platform Management Interface (IPMI) specification. IPMI is an open standard for machine
health, inventory, and remote power control.
Secu rit y Fix
C VE- 2011- 4 339
It was discovered that the IPMI event daemon (ipmievd) created its process ID (PID ) file with
world-writable permissions. A local user could use this flaw to make the ipmievd init script
kill an arbitrary process when the ipmievd daemon is stopped or restarted.
All users of ipmitool are advised to upgrade to this updated package, which contains a backported
patch to correct this issue. After installing this update, the IPMI event daemon (ipmievd) will be
restarted automatically.
4 .96.2. RHBA-2011:1603 — ipmit ool bug fix updat e
An updated ipmitool package that fixes multiple bugs is now available for Red Hat Enterprise Linux 6.
The ipmitool package contains a command line utility for interfacing with devices that support the
Bug Fixe s
B Z #6 759 75
Prior to this update, ipmitool's Serial Over LAN (SOL) module erroneously calculated the
number of octets processed by the Baseboard Management Controller and could have
resent already acknowledged chunks of serial communication, which could have corrupted
the serial line with additional characters. Under certain circumstances, this could have also
brought ipmitool into an endless loop or unexpected termination. With this update, ipmitool
now correctly calculates the number of octets processed by the BMC and does not resend
unwanted characters over the serial line.
164
B Z #727314
This update improves integration of the Linux Multiple D evice (MD ) driver with ipmitool to
indicate the SCSI enclosure services (SES) status and drive activities for the PCIe SSD
based solutions.
B Z #726 39 0
This update adds the " channel setkg" subcommand to the " ipmitool" command, which
allows for KG key configuration.
B Z #726 39 0
This update adds the " -Y" option, which allows reading of the KG key from the terminal.
B Z #7319 77
A serial console connected to over the LAN and activated with the command " ipmitool sol
activate" contained a memory leak, which could have consumed all available memory
resources over time. This update fixes the problem.
B Z #731718
Invoking " ipmitool delloem powermonitor" did not properly convert values received over the
network to integer numbers on big-endian systems (PowerPC, IBM System z). As a result,
mostly random values were displayed when reporting power consumption. This update
fixes the integer conversions in the " powermonitor" command so that the power
consumption is now reported correctly on PowerPC and IBM System z architectures.
All users of ipmitool are advised to upgrade to this updated package, which fixes these bugs.
4 .96.3. RHBA-2013:1164 — ipmit ool bug fix updat e
Updated ipmitool packages that fix one bug are now available for Red Hat Enterprise Linux 6
The ipmitool package contains a command-line utility for interfacing with devices that support the
B u g Fix
B Z #9 9 09 6 0
In cases of congested networks or slow-responding BMCs (Baseboard Management
Controller), the reply operation timeout triggered the protocol command retry action.
Consequently, the ipmitool utility could incorrectly process a LAN session protocol
command with the reply from a previous protocol command. This update fixes handling of
expected replies for each command alone and cleans up expected replies between
commands. Now, the retried reply of the first command is correctly ignored while the later
command, which is currently pending, is properly processed in the described scenario.
Users of ipmitool are advised to upgrade to these updated packages, which fix this bug. After
installing this update, the IPMI event daemon (ipmievd) will be restarted automatically.
4 .97. iprout e
165
4 .97.1. RHBA-2011:1690 — iprout e bug fix updat e
An updated iproute package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
The iproute package contains networking utilities (ip and rtmon, for example) which are designed to
use the advanced networking capabilities of the Linux kernel.
Bug Fixe s
B Z #6 9 286 7
Prior to this update, the " ip" utility lacked the " mode" parameter support for macvtap
devices. As a consequence affected users could not create macvtap devices in " bridge" or
" private" modes. With this update the " ip" utility now fully supports macvtap devices along
with the " mode" parameter and its options, " bridge" , " private" , and " vepa" (default). As a
result users can now utilize macvtap functionality via the iproute package.
B Z #6 9 3878
Prior to this update, the " ip" tool lacked the " passthru" mode parameter support for
macvtap and macvlan devices. Consequently users could not create macvtap and macvlan
devices in " passthru" mode. The " ip" tool now fully supports macvtap and macvlan devices
along with the " mode" parameter and its options, " bridge" , " private" , " passthru" , and
" vepa" (default). As a result users can now utilize " passthru" mode as part of macvtap and
macvlan functionality via the iproute package.
B Z #709 6 52
Prior to this update, the " tc" utility ignored GRED (Generalized RED ) queue options.
Consequently " tc" users could not configure certain GRED queue related parameters. With
this update the " tc" utility no longer accidentally overwrites the user specified options. As a
result " tc" users can now reliably define all GRED parameters.
All users of iproute are advised to upgrade to this updated package, which fixes these bugs.
4 .98. iprut ils
4 .98.1. RHEA-2011:154 6 — iprut ils bug fix and enhancement updat e
An updated iprutils package that fixes various bugs and provides one enhancement is now available
The iprutils package provides utilities to manage and configure SCSI devices that are supported by
the IBM Power RAID SCSI storage device driver.
The iprutils package has been upgraded to upstream version 2.3.4, which provides support for the
Serial Attached SCSI (SAS) vRAID functions. (BZ #693816)
Bug Fixe s
B Z #6 9 4 756
D ue to a NULL pointer dereference, the iprconfig utility terminated unexpectedly with a
segmentation fault when attempting to display hardware status. A patch has been applied
to address this issue and hardware status is now displayed correctly.
B Z #703255
166
Previously, iprutils did not work correctly when performing RAID migration and asymmetric
access functions on new adapters. With this update, array migration functionality is fixed.
Now, iprutils can correctly perform the raid migration and asymmetric access functions.
B Z #74 1835
The find_multipath_vset routine used the ARRAY_SIZ E() macro to calculate the length of the
serial number. Previously, the length was calculated incorrectly, which could have led to
false positives when looking for the corresponding vset. As a consequence, attempting to
delete arrays failed: the target and the second array were set to be read/write protected,
writing to both arrays was not possible, and the system had to be rebooted. To fix the
problem, the IPR_SERIAL_NUM_LEN macro is now used instead of ARRAY_SIZ E.
B Z #74 1835
With the maximum number of devices attached to one of the new Silicon Integrated Systems
(SiS) 64-bit adapters, the configuration data could have grown over the buffer size. With
this update, the buffer size has been increased, which fixes the problem and ensures room
for any possible future growth.
All users of iprutils are advised to upgrade to this updated package, which fixes these bugs and
provides this enhancement.
4 .99. ipt ables
4 .99.1. RHBA-2012:0335 — ipt ables bug fix updat e
Updated iptables packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The iptables utility controls the network packet filtering code in the Linux kernel.
Bug Fix
B Z #786 874
The option parser of the iptables utility did not correctly handle the " -m mark" and " -m
conmark" options in the same rule. Therefore, the iptables command failed when issued
with both options. This update modifies behavior of the option parser so that iptables now
works as expected with the " -m mark" and " -m conmark" options specified.
All users of iptables are advised to upgrade to these updated packages, which fix this bug.
4 .100. irqbalance
4 .100.1. RHBA-2012:0552 — irqbalance bug fix updat e
Updated irqbalance packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The irqbalance package provides a daemon that evenly distributes interrupt request (IRQ) load
across multiple CPUs for enhanced performance.
Bug Fix
B Z #817873
167
The irqbalance daemon assigns each interrupt source in the system to a " class" , which
represents the type of the device (for example Networking, Storage or Media). Previously,
irqbalance used the IRQ handler names from the /proc/interrupts file to decide the source
class, which caused irqbalance to not recognize network interrupts correctly. As a
consequence, systems using biosdevname NIC naming did not have their hardware
interrupts distributed and pinned as expected. With this update, the device classification
mechanism has been improved, and so ensures a better interrupts distribution.
All users of irqbalance are advised to upgrade to these updated packages, which fix this bug.
4 .101. iscsi-init iat or-ut ils
4 .101.1. RHBA-2011:1722 — iscsi-init iat or-ut ils bug fix and enhancement
updat e
An updated iscsi-initiator-utils package that fixes one bug and adds various enhancements is now
The iscsi package provides the server daemon for the Internet Small Computer System Interface
(iSCSI) protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed
disk access using SCSI commands sent over Internet Protocol networks.
Bug Fix
B Z #7154 34
The iscsiadm utility displayed the discovery2 mode in the help output but did not accept the
mode as a valid one. This entry has been replaced with the valid discoverydb mode entry
as displayed in the ISCSIAD M(8) manual page.
Enhance m e nt s
B Z #6 029 59
The brcm_iscsiuio daemon did not rotate its log file, /var/log/brcm-iscsi.log. As a
consequence, the log file may have filled up the available disk space. The brcm_iscsiuio
daemon now supports log rotation, which fixes the problem.
B Z #6 9 6 808
The brcm_iscsiuio daemon has been updated to provide enhanced support for IPv6
(Internet Protocol version 6), VLAN (Virtual Local Area Network), and Broadcom iSCSI
Offload Engine Technology. The daemon has been renamed to iscsiuio with this update.
B Z #74 9 051
The bnx2i driver can now be used for install or boot. To install or boot to targets using this
driver, turn on the HBA (Host Bus Adapter) mode in the card's BIOS boot setup screen.
In addition, the iSCSI tools can now set up networking and manage sessions for QLogic iSCSI
adapters that use the qla4xxx driver. For more information, see section 5.1.2 of the READ ME file
which is located in the /usr/share/doc/iscsi-initiator-utils-6.2.0.872 directory.
Users are advised to upgrade to this updated iscsi-initiator-utils package, which fixes this bug and
168
4 .102. isdn4 k-ut ils
4 .102.1. RHBA-2011:1169 — isdn4 k-ut ils bug fix updat e
Updated isdn4k-utils packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The isdn4k-utils package contains a collection of utilities needed for configuring an ISD N
subsystem.
Bug Fixe s
B Z #6 186 53
Prior to this update, the isdn and capi init scripts were not LSB compatible. D ue to this
problem, the isdn and capi init scripts exited with incorrect or invalid exit statuses. This
update modifies the init scripts so that they are LSB compatible. Now the init scripts exit with
the correct exit status. (BZ #618549)
All users of isdn4k-utils are advised to upgrade to these updated packages, which fix this bug.
4 .103. iwl1000-firmware
4 .103.1. RHBA-2011:1558 — iwl1000-firmware bug fix and enhancement updat e
An updated iwl1000-firmware package that fixes various bugs and adds several enhancements is
The iwl1000-firmware package provides the firmware required by the iwglan driver for Linux to
support Intel Wireless WiFi Link 1000 series adapters.
The iwl1000-firmware package has been upgraded to upstream version 39.31.5.1, which provides a
number of bug fixes and enhancements over the previous version. (BZ #694245)
All users of the iwlagn driver are advised to upgrade to this updated iwl1000-firmware package,
which resolves these issues and adds these enhancements.
4 .104 . iwl6000g2a-firmware
4 .104 .1. RHEA-2011:1681 — iwl6000g2a-firmware enhancement updat e
An updated iwl6000g2a-firmware package that adds an enhancement is now available for Red Hat
Enterprise Linux 6.
The iwl6000g2a-firmware package provides the firmware required by the iwlagn driver for Linux to
support Intel Wireless WiFi Link 6005 series adapters.
The iwl6000g2a-firmware package has been upgraded to upstream version 17.168.5.3, which
provides an enhancement over the previous version. (BZ #729438)
All users of the iwlagn driver are advised to upgrade to this updated iwl6000g2a-firmware package,
which adds this enhancement.
4 .105. jasper
169
4 .105.1. RHSA-2011:1807 — Import ant : jasper securit y updat e
Updated jasper packages that fix two security issues are now available for Red Hat Enterprise Linux
6.
JasPer is an implementation of Part 1 of the JPEG 2000 image compression standard.
Secu rit y Fix
C VE- 2011- 4 516 , C VE- 2011- 4 517
Two heap-based buffer overflow flaws were found in the way JasPer decoded JPEG 2000
compressed image files. An attacker could create a malicious JPEG 2000 compressed
image file that, when opened, would cause applications that use JasPer (such as Nautilus)
to crash or, potentially, execute arbitrary code.
Red Hat would like to thank Jonathan Foote of the CERT Coordination Center for reporting these
issues.
Users are advised to upgrade to these updated packages, which contain a backported patch to
correct these issues. All applications using the JasPer libraries (such as Nautilus) must be restarted
for the update to take effect.
4 .106. java-1.5.0-ibm
4 .106.1. RHSA-2012:0508 — Crit ical: java-1.5.0-ibm securit y updat e
Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat
Enterprise Linux 5 and 6 Supplementary.
The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2
Software D evelopment Kit.
Secu rit y Fixes
C VE- 2011- 3389 , C VE- 2011- 3557, C VE- 2011- 356 0, C VE- 2011- 356 3, C VE- 2012- 04 9 8,
C VE- 2012- 04 9 9 , C VE- 2012- 0501, C VE- 2012- 0502, C VE- 2012- 0503, C VE- 2012- 0505,
C VE- 2012- 0506 , C VE- 2012- 0507
This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the
IBM Java 2 Software D evelopment Kit. D etailed vulnerability descriptions are linked from
the IBM " Security alerts" page.
All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM
1.5.0 SR13-FP1 Java release. All running instances of IBM Java must be restarted for this update to
take effect.
4 .107. java-1.6.0-ibm
170
The IBM Java SE version 6 release includes the IBM Java 6 Runtime Environment and the IBM Java
6 Software D evelopment Kit.
Secu rit y Fixes
C VE- 2011- 356 3, C VE- 2011- 5035, C VE- 2012- 04 9 7, C VE- 2012- 04 9 8, C VE- 2012- 04 9 9 ,
C VE- 2012- 0500, C VE- 2012- 0501, C VE- 2012- 0502, C VE- 2012- 0503, C VE- 2012- 0505,
C VE- 2012- 0506 , C VE- 2012- 0507
Java 6 SR10-FP1 release. All running instances of IBM Java must be restarted for the update to take
effect.
Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 and 6 Supplementary.
The IBM Java SE version 6 release includes the IBM Java 6 Runtime Environment and the IBM Java
6 Software D evelopment Kit.
Secu rit y Fixes
C VE- 2011- 3389 , C VE- 2011- 3516 , C VE- 2011- 3521, C VE- 2011- 354 4 , C VE- 2011- 354 5,
C VE- 2011- 354 6 , C VE- 2011- 354 7, C VE- 2011- 354 8, C VE- 2011- 354 9 , C VE- 2011- 3550,
C VE- 2011- 3551, C VE- 2011- 3552, C VE- 2011- 3553, C VE- 2011- 3554 , C VE- 2011- 3556 ,
C VE- 2011- 3557, C VE- 2011- 356 0, C VE- 2011- 356 1
Java 6 SR10 release. All running instances of IBM Java must be restarted for the update to take
effect.
4 .108. java-1.6.0-openjdk
4 .108.1. RHSA-2012:0135 — Crit ical: java-1.6.0-openjdk securit y updat e
171
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat
Enterprise Linux 6.
These packages provide the OpenJD K 6 Java Runtime Environment and the OpenJD K 6 Software
D evelopment Kit.
Secu rit y Fixes
C VE- 2012- 04 9 7
It was discovered that Java2D did not properly check graphics rendering objects before
passing them to the native renderer. Malicious input, or an untrusted Java application or
applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java
sandbox restrictions.
C VE- 2012- 0505
It was discovered that the exception thrown on deserialization failure did not always
contain a proper identification of the cause of the failure. An untrusted Java application or
applet could use this flaw to bypass Java sandbox restrictions.
C VE- 2011- 3571
The AtomicReferenceArray class implementation did not properly check if the array was of
the expected Object[] type. A malicious Java application or applet could use this flaw to
bypass Java sandbox restrictions.
C VE- 2012- 0503
It was discovered that the use of TimeZ one.setD efault() was not restricted by the
SecurityManager, allowing an untrusted Java application or applet to set a new default time
zone, and hence bypass Java sandbox restrictions.
C VE- 2011- 5035
The HttpServer class did not limit the number of headers read from HTTP requests. A remote
attacker could use this flaw to make an application using HttpServer use an excessive
amount of CPU time via a specially-crafted request. This update introduces a header count
limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is
200.
C VE- 2011- 356 3
The Java Sound component did not properly check buffer boundaries. Malicious input, or
an untrusted Java application or applet could use this flaw to cause the Java Virtual
Machine (JVM) to crash or disclose a portion of its memory.
C VE- 2012- 0502
A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java
application or applet to acquire keyboard focus and possibly steal sensitive information.
C VE- 2012- 0506
It was discovered that the CORBA (Common Object Request Broker Architecture)
implementation in Java did not properly protect repository identifiers on certain CORBA
objects. This could have been used to modify immutable object data.
172
objects. This could have been used to modify immutable object data.
C VE- 2012- 0501
An off-by-one flaw, causing a stack overflow, was found in the unpacker for Z IP files. A
specially-crafted Z IP archive could cause the Java Virtual Machine (JVM) to crash when
opened.
Note
If the web browser plug-in provided by the icedtea-web package was installed, the issues
exposed via Java applets could have been exploited without user interaction if a user visited a
malicious website.
This erratum also upgrades the OpenJD K package to IcedTea6 1.10.6. Refer to the NEWS file for
more information:
http://icedtea.classpath.org/hg/release/icedtea6-1.10/file/icedtea6-1.10.6/NEWS
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve
these issues. All running instances of OpenJD K Java must be restarted for the update to take effect.
4 .108.2. RHSA-2012:0729 — Crit ical: java-1.6.0-openjdk securit y updat e
Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat
Enterprise Linux 6.
D evelopment Kit.
Secu rit y Fixes
C VE- 2012- 1711, C VE- 2012- 1719
Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture)
implementation in Java. A malicious Java application or applet could use these flaws to
bypass Java sandbox restrictions or modify immutable object data.
C VE- 2012- 1716
It was discovered that the SynthLookAndFeel class from Swing did not properly prevent
access to certain UI elements from outside the current application context. A malicious Java
application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java
sandbox restrictions.
C VE- 2012- 1713
Multiple flaws were discovered in the font manager's layout lookup implementation. A
specially-crafted font file could cause the Java Virtual Machine to crash or, possibly,
execute arbitrary code with the privileges of the user running the virtual machine.
C VE- 2012- 1723, C VE- 2012- 1725
173
Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode
of the class file to be executed. A specially-crafted Java application or applet could use
these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
C VE- 2012- 1724
It was discovered that the Java XML parser did not properly handle certain XML documents.
An attacker able to make a Java application parse a specially-crafted XML file could use
this flaw to make the XML parser enter an infinite loop.
C VE- 2012- 1718
It was discovered that the Java security classes did not properly handle Certificate
Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers
could have been ignored.
C VE- 2012- 1717
It was discovered that various classes of the Java Runtime library could create temporary
files with insecure permissions. A local attacker could use this flaw to gain access to the
content of such temporary files.
Note
If the web browser plug-in provided by the icedtea-web package was installed, the issues
exposed via Java applets could have been exploited without user interaction if a user visited a
malicious website.
This erratum also upgrades the OpenJD K package to IcedTea6 1.11.3. Refer to the NEWS file for
further information:
http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/icedtea6-1.11.3/NEWS
All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve
these issues. All running instances of OpenJD K Java must be restarted for the update to take effect.
4 .108.3. RHBA-2011:1623 — java-1.6.0-openjdk enhancement updat e
An updated java-1.6.0-openjdk package that fixes two bugs is now available for Red Hat Enterprise
Linux 6.
D evelopment Kit.
This updated java-1.6.0-openjdk package includes fixes for the following bugs:
B Z #722310
The java-1.6.0-openjdk package has been upgraded to the upstream version 1.10.4, which
provides a number of bug fixes and enhancements over the previous version.
B Z #708201
Installing of OpenJD K or execution of a Java program, which was using other than terminal
fonts, could have terminated unexpectedly with the following error:
174
Exception in thread "main"
java.lang.Error: Probable fatal error:No fonts found.
This happened because the fontconfig library was not installed and the font enumeration
failed. With this update, OpenJD K depends on fontconfig and the problem no longer
occurs.
All users of java-1.6.0-openjdk are advised to upgrade to this updated package, which fixed these
bugs.
4 .108.4 . RHBA-2011:184 7 — java-1.6.0-openjdk bug fix updat e
Updated java-1.6.0-openjdk packages that fix one bug are now available for Red Hat Enterprise
Linux 6.
The java-1.6.0-openjdk package provides the OpenJD K 6 Java Runtime Environment and the
OpenJD K 6 Software D evelopment Kit.
The java-1.6.0-openjdk package has been upgraded to upstream version 1.2.3, which provides a
number of bug fixes and enhancements over the previous version. In addition, HugePage support is
now provided and can be activated with the -XX:+UseLargePages flag. (BZ #123456)
Bug Fix
B Z #751730
Prior to this update, security restrictions caused the RMI registry to stop working correctly.
As a consequence, a remote RMI client could execute code on the RMI server with
unrestricted privileges.This update adjusts the RMI registry so that it now works as
expected.
Enhance m e nt s
B Z #56 74 04
This update adds support for the Rhino JavaScript interpreter to the java-1.6.0-openjdk
package.
B Z #72759 8
This update upgrades IcedTea6 to upstream version 1.10.
All users of java-1.6.0-openjdk are advised to upgrade to this updated package, which fixes these
4 .109. java-1.6.0-sun
4 .109.1. RHSA-2012:0734 — Crit ical: java-1.6.0-sun securit y updat e
Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat
175
The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6
Secu rit y Fixes
C VE- 2012- 0551, C VE- 2012- 1711, C VE- 2012- 1713, C VE- 2012- 1716 , C VE- 2012- 1717,
C VE- 2012- 1718, C VE- 2012- 1719 , C VE- 2012- 1721, C VE- 2012- 1722, C VE- 2012- 1723,
C VE- 2012- 1724 , C VE- 2012- 1725
This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the
Sun Java 6 Software D evelopment Kit. Further information about these flaws can be found
on the Oracle Java SE Critical Patch page.
All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide JD K
and JRE 6 Update 33 and resolve these issues. All running instances of Sun Java must be restarted
4 .109.2. RHSA-2012:0139 — Crit ical: java-1.6.0-sun securit y updat e
Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat
Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 and 6 Supplementary.
The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6
Secu rit y Fixes
C VE- 2011- 356 3, C VE- 2011- 3571, C VE- 2011- 5035, C VE- 2012- 04 9 8, C VE- 2012- 04 9 9 ,
C VE- 2012- 0500, C VE- 2012- 0501, C VE- 2012- 0502, C VE- 2012- 0503, C VE- 2012- 0505,
C VE- 2012- 0506
This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the
Sun Java 6 Software D evelopment Kit. Further information about these flaws can be found
on the Oracle Java SE Critical Patch page:
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
http://www.oracle.com/technetwork/java/javase/6u31-relnotes-1482342.html
All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide JD K
and JRE 6 Update 31 and resolve these issues. All running instances of Sun Java must be restarted
4 .110. jss
4 .110.1. RHBA-2011:1675 — jss bug fix updat e
An updated jss package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
JSS is a Java binding to Network Security Services (NSS), which provides SSL/TLS network
protocols and other security services in the Public Key Infrastructure (PKI) suite. JSS is primarily
utilized by the Certificate Server.
176
Bug Fixe s
B Z #6 6 04 36
The java.net.SocketException was accompanied by a misleading error message because
the exception definition was using a variable pointed to a wrong address. With this update,
the underlying code has been modified and the exception now uses the correct error
message.
B Z #7059 4 7
On Luna SA HSM in FIPS mode, Red Hat Certificate System failed to generate a certificate
and threw an exception if ECC (Elliptic Curve Cryptography) algorithms was set to higher
than SHA1withEC. This occurred because in FIPS mode, the SSL protocol requires ECD H
(Elliptic Curve D iffie Hellman), which is not supported by Luna SA. With this update, the
ECD H support has been provided by JSS/NSS, and certificates are created and used with
SSL correctly.
B Z #733551
In FIPS mode, D RM (D ata Recovery Manager) failed to recover keys because it failed to
import the respective key. With this update, the key is generated on recovery and the
recovery succeeds.
All users of jss are advised to upgrade to this updated package, which fixes these bugs.
4 .111. jwhois
4 .111.1. RHBA-2011:0921 — jwhois bug fix and enhancement updat e
An updated jwhois package that fixes one bug and adds one enhancement is now available for Red
The jwhois package provides a whois client, which is used to obtain information about domain
names and IP addresses from whois servers.
Bug Fix
B Z #6 82832
Previously, when querying a domain with the name length near the allowed limit of 63
characters, and emitting command options to a whois server, the " whois" command failed
because both the domain name and command options were given to a function responsible
for translating Internationalized D omain Names (ID N) to ASCII. The length of such
command was greater than the allowed limit. This update fixes this bug so that only the
domain name is now translated after executing the command.
Enhance m e nt
B Z #6 6 4 4 4 9
Previously, jwhois did not contain the whois server details for the dotEmarat extension. As a
result, whois queries for these extensions were incorrectly directed to whois.internic.net.
With this update, the configuration file correctly directs queries for the dotEmarat domains
to whois.aeda.net.ae.
177
All users of whois clients are advised to upgrade to this updated package, which fixes this bug and
4 .112. kabi-whit elist s
4 .112.1. RHEA-2011:174 7 — kabi-whit elist s enhancement updat e
An updated kabi-whitelists package that adds various enhancements is now available for Red Hat
Enterprise Linux 6.
The kabi-whitelists package contains reference files documenting interfaces provided by the Red Hat
Enterprise Linux 6 kernel that are considered to be stable by Red Hat kernel engineering, and safe for
longer term use by third party loadable device drivers, as well as for other purposes.
Enhance m e nt s
B Z #6 804 6 9
The " pci_reset_function" symbol has been added to the Red Hat Enterprise Linux 6.2 kernel
application binary interface (ABI) whitelists.
B Z #6 9 04 79
The " aio_complete" and " aio_put_req" symbols have been added to the kernel ABI
whitelists.
B Z #7004 06
The " __blk_end_request" , " bdget_disk" , " blk_limits_io_min" , " blk_limits_io_opt" ,
" blk_plug_device" , " blk_queue_bounce" , " blk_queue_max_discard_sectors" ,
" blk_remove_plug" , " blk_requeue_request" , " jiffies_to_usecs" , " prepare_to_wait_exclusive" ,
" ipv6_ext_hdr" , " lro_receive_frags" , and " lro_vlan_hwaccel_receive_frags" symbols have
been added to the kernel ABI whitelists.
B Z #7004 32
The " ipv6_ext_hdr" , " lro_receive_frags" , and " lro_vlan_hwaccel_receive_frags" symbols
have been added to the kernel ABI whitelists.
B Z #7026 75
The " ipv6_ext_hdr" , " lro_receive_frags" , " lro_vlan_hwaccel_receive_frags" ,
" netif_set_real_num_tx_queues" , and " pci_find_ext_capability" symbols have been added
to the kernel ABI whitelists. The only exception is " pci_find_ext_capability" , which is not
available for IBM System z.
B Z #703125
The " compat_alloc_user_space" symbol has been added to the kernel ABI whitelists.
B Z #7304 10
The " paca" symbol has been added to the kernel ABI whitelists for the 64-bit PowerPC
architecture.
B Z #74 8520
The " dm_put_device" , " enl_register_ops" , " m_device_name" , " m_unregister_target" ,
" m_register_target" , " m_table_get_mode" , " m_table_get_md" , " m_get_device" , and
178
" m_register_target" , " m_table_get_mode" , " m_table_get_md" , " m_get_device" , and
" enl_register_family" symbols have been added to the kernel ABI whitelists.
Note: It is not necessary to install the kabi-whitelists package in order to use D river Updates. The
kabi-whitelists package only provides reference files for use by those creating D river Update
packages, or for those who wish to enable support for verification of kernel ABI compatibility by
installing the appropriate Yum plug-in.
All users of kabi-whitelists are advised to upgrade to this updated package, which adds these
enhancements.
4 .113. kdeaccessibilit y
4 .113.1. RHBA-2011:1173 — kdeaccessibilit y bug fix updat e
Updated kdeaccessibility packages that fix one bug are now available for Red Hat Enterprise Linux
6.
KD E is a graphical desktop environment for the X Window System. Kdeaccessibility contains KD E
accessibility utilities, including KMouseTool (to initiate mouse clicks), KMag (to magnify parts of the
screen), and KMouth & KTTS (a text-to-speech utility).
Bug Fix
B Z #58789 7
Prior to this update, the icon for the kttsmsg program incorrectly appeared in GNOME
Application's Accessories menu. This bug has been fixed in this update so that the icon is
now no longer displayed, as expected.
All users of kdeaccessibility are advised to upgrade to these updated packages, which fix this bug.
4 .114 . kdeadmin
4 .114 .1. RHBA-2011:1117 — kdeadmin bug fix updat e
An updated kdeadmin package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The kdeadmin package contains administrative tools for the K D esktop Environment.
Bug Fixe s
B Z #5879 04
Prior to this update, the icon for the ksystemlog program did not appear correctly in
GNOME Application's System Tools menu. This bug has been fixed in this update so that
the icon is now displayed as expected.
B Z #6 9 2737
Prior to this update, the Network Settings component that was included in KD E's System
Settings was not compatible with NetworkManager in Red Hat Enterprise Linux 6. As a
result, the spurious message " Your Platform is Not Supported" was displayed in the
aforementioned component's dialog window. Furthermore, no network interface controllers
(NICs) were displayed in the dialog window. These problems have been resolved in this
update by removing the Network Settings component from KD E's System Settings.
179
Users of kdeadmin are advised to upgrade to this updated package, which fixes these bugs.
4 .115. kdebase
4 .115.1. RHBA-2011:1200 — kdebase bug fix updat e
Updated kdebase packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
The K D esktop Environment (KD E) is a graphical desktop environment for the X Window System. The
kdebase package includes core applications for KD E.
Bug Fixe s
B Z #6 314 81
Prior to this update, when starting another instance of the konsole application in an
already running konsole instance, the spurious " Undecodable sequence: \001b(hex)[?
1034h" message was displayed. This bug has been fixed in this update and no longer
occurs.
B Z #6 09 039
Prior to this update, the System Settings application in KD E became unresponsive when
entering a password in order to apply changes in the About Me dialog. With this update, the
bug has been fixed so that entering a password works properly.
All users of kdebase are advised to upgrade to these updated packages, which fix these bugs.
4 .116. kdebase-workspace
4 .116.1. RHBA-2011:1115 — kdebase-workspace bug fix updat e
Updated kdebase-workspace packages that fix several bugs are now available for Red Hat
Enterprise Linux 6.
KD E is a graphical desktop environment for the X Window System. The kdebase-workspace
packages contains utilities for basic operations with the desktop environment. It allows users for
example, to change system settings, resize and rotate X screens or set panels and widgets on the
workspace.
Bug Fixe s
B Z #5879 17
If the KD E and GNOME desktop environments were both installed on one system, two
System Monitor utilities were installed as well. These, located in System Tools of the
Applications menu, had the same icons and title, which may have confused the user. With
this update, KD E icons are used for the ksysguard tool.
B Z #6 39 359
Prior to this update, the ksysguard process terminated unexpectedly with a segmentation
fault after clicking the OK button in the Properties dialog of the Network History tab, which is
included in the ksysguard application. This bug has been fixed in this update so that
ksysguard no longer crashes and works properly.
180
B Z #6 4 9 34 5
Previously, when rebooting the system, the kdm utility terminated with a segmentation fault if
auto-login was enabled. This was caused by a NULL password being sent to the master
process, which has been fixed, and rebooting the system with auto-login enabled no longer
causes kdm to crash.
B Z #6 6 6 29 5
When clicking Help in the Battery Monitor Settings dialog of the Battery Monitor widget, the
message " The file or folder help:/plasma-desktop/index.html does not exist" appeared
instead of displaying the help pages. This update adds the missing help pages, which fixes
the problem.
All users of kdebase-workspace are advised to upgrade to these updated packages, which fix these
bugs.
4 .117. kdepim-runt ime
4 .117.1. RHBA-2011:1094 — kdepim-runt ime bug fix updat e
Updated kdepim-runtime packages that fix two bugs are now available for Red Hat Enterprise Linux
6.
KD E is a graphical desktop environment for the X Window System. The kdepim-runtime package
contain the KD E PIM Runtime Environment.
Bug Fixe s
B Z #6 6 0581
Prior to this update, it was not possible to build the kdepim-runtime package on Red Hat
Enterprise Linux 6. This problem has been resolved in this update and no longer occurs.
B Z #6 25121
Prior to this update, Akonaditray, which is an application included in KD E, was incorrectly
displayed in the GNOME Applications menu. This bug has been fixed in this update so that
Akonaditray is no longer displayed in the aforementioned menu.
All users of kdepim-runtime are advised to upgrade to these updated packages, which fix these bugs.
4 .118. kdeut ils
4 .118.1. RHBA-2011:1206 — kdeut ils bug fix updat e
Updated kdeutils packages that fix one bug are now available for Red Hat Enterprise Linux 6.
KD E is a graphical desktop environment for the X Window System. The kdeutils packages include
several utilities for the KD E desktop environment.
Bug Fix
B Z #6 25116
Prior to this update, the icon for the Sweeper utility did not appear correctly in GNOME
181
Application's Accessories menu. This bug has been fixed in this update so that the icon is
now displayed as expected.
All users of kdeutils are advised to upgrade to these updated packages, which fix this bug.
4 .119. kernel
4 .119.1. RHSA-2013:1026 — Import ant : kernel securit y and bug fix updat e
Updated kernel packages that fix multiple security issues and several bugs are now available for Red
Hat Enterprise Linux 6.2 Extended Update Support.
available for each vulnerability from the CVE links associated with each description below.
These packages contain the Linux kernel, the core of any Linux operating system.
Secu rit y Fixes
C VE- 2013- 1773, Imp o rt an t
A buffer overflow flaw was found in the way UTF-8 characters were converted to UTF-16 in
the utf8s_to_utf16s() function of the Linux kernel's FAT file system implementation. A local
user able to mount a FAT file system with the " utf8=1" option could use this flaw to crash the
system or, potentially, to escalate their privileges.
C VE- 2012- 179 6 , Imp o rt an t
A flaw was found in the way KVM (Kernel-based Virtual Machine) handled guest time
updates when the buffer the guest registered by writing to the MSR_KVM_SYSTEM_TIME
machine state register (MSR) crossed a page boundary. A privileged guest user could use
this flaw to crash the host or, potentially, escalate their privileges, allowing them to execute
arbitrary code at the host kernel level.
C VE- 2013- 179 7, Imp o rt an t
A potential use-after-free flaw was found in the way KVM handled guest time updates when
the GPA (guest physical address) the guest registered by writing to the
MSR_KVM_SYSTEM_TIME machine state register (MSR) fell into a movable or removable
memory region of the hosting user-space process (by default, QEMU-KVM) on the host. If
that memory region is deregistered from KVM using KVM_SET_USER_MEMORY_REGION
and the allocated virtual memory reused, a privileged guest user could potentially use this
flaw to escalate their privileges on the host.
C VE- 2012- 179 8, Imp o rt an t
A flaw was found in the way KVM emulated IOAPIC (I/O Advanced Programmable Interrupt
Controller). A missing validation check in the ioapic_read_indirect() function could allow a
privileged guest user to crash the host, or read a substantial portion of host kernel memory.
C VE- 2012- 184 8, Lo w
A format string flaw was found in the ext3_msg() function in the Linux kernel's ext3 file
system implementation. A local user who is able to mount an ext3 file system could use this
flaw to cause a denial of service or, potentially, escalate their privileges.
182
Red Hat would like to thank Andrew Honig of Google for reporting CVE-2013-1796, CVE-2013-1797,
and CVE-2013-1798.
B u g Fixes
B Z #9 56 29 4
The virtual file system (VFS) code had a race condition between the unlink and link system
calls that allowed creating hard links to deleted (unlinked) files. This could, under certain
circumstances, cause inode corruption that eventually resulted in a file system shutdown.
The problem was observed in Red Hat Storage during rsync operations on replicated
Gluster volumes that resulted in an XFS shutdown. A testing condition has been added to
the VFS code, preventing hard links to deleted files from being created.
B Z #9 72578
Various race conditions that led to indefinite log reservation hangs due to xfsaild " idle"
mode occurred in the XFS file system. This could lead to certain tasks being unresponsive;
for example, the cp utility could become unresponsive on heavy workload. This update
improves the Active Item List (AIL) pushing logic in xfsaild. Also, the log reservation
algorithm and interactions with xfsaild have been improved. As a result, the aforementioned
problems no longer occur in this scenario.
B Z #9 7259 7
When the Active Item List (AIL) becomes empty, the xfsaild daemon is moved to a task sleep
state that depends on the timeout value returned by the xfsaild_push() function. The latest
changes modified xfsaild_push() to return a 10-ms value when the AIL is empty, which sets
xfsaild into the uninterruptible sleep state (D state) and artificially increased system load
average. This update applies a patch that fixes this problem by setting the timeout value to
the allowed maximum, 50 ms. This moves xfsaild to the interruptible sleep state (S state),
avoiding the impact on load average.
B Z #9 726 07
When adding a virtual PCI device, such as virtio disk, virtio net, e1000 or rtl8139, to a KVM
guest, the kacpid thread reprograms the hot plug parameters of all devices on the PCI bus
to which the new device is being added. When reprogramming the hot plug parameters of a
VGA or QXL graphics device, the graphics device emulation requests flushing of the guest's
shadow page tables. Previously, if the guest had a huge and complex set of shadow page
tables, the flushing operation took a significant amount of time and the guest could appear
to be unresponsive for several minutes. This resulted in exceeding the threshold of the " soft
lockup" watchdog and the " BUG: soft lockup" events were logged by both, the guest and
host kernel. This update applies a series of patches that deal with this problem. The KVM's
Memory Management Unit (MMU) now avoids creating multiple page table roots in
connection with processors that support Extended Page Tables (EPT). This prevents the
guest's shadow page tables from becoming too complex on machines with EPT support.
MMU now also flushes only large memory mappings, which alleviates the situation on
machines where the processor does not support EPT. Additionally, a free memory
accounting race that could prevent KVM MMU from freeing memory pages has been fixed.
Users should upgrade to these updated packages, which contain backported patches to correct
these issues. The system must be rebooted for this update to take effect.
4 .119.2. RHSA-2013:074 1 — Import ant : kernel securit y and bug fix updat e
Updatedkernel packages that fix several security issues and several bugs are now available for Red
183
These packages contain the Linux kernel.
Secu rit y Fixes
C VE- 2013- 0871, Imp o rt an t
A race condition was found in the way the Linux kernel's ptrace implementation handled
PTRACE_SETREGS requests when the debuggee was woken due to a SIGKILL signal
instead of being stopped. A local, unprivileged user could use this flaw to escalate their
privileges.
C VE- 2012- 2133, Mo d erat e
A use-after-free flaw was found in the Linux kernel's memory management subsystem in the
way quota handling for huge pages was performed. A local, unprivileged user could use
this flaw to cause a denial of service or, potentially, escalate their privileges.
Red Hat would like to thank Shachar Raindel for reporting CVE-2012-2133.
B u g Fixes
B Z #9 1126 5
The Intel 5520 and 5500 chipsets do not properly handle remapping of MSI and MSI-X
interrupts. If the interrupt remapping feature is enabled on the system with such a chipset,
various problems and service disruption could occur (for example, a NIC could stop
receiving frames), and the " kernel: do_IRQ: 7.71 No irq handler for vector (irq -1)" error
message appears in the system logs. As a workaround to this problem, it has been
recommended to disable the interrupt remapping feature in the BIOS on such systems, and
many vendors have updated their BIOS to disable interrupt remapping by default. However,
the problem is still being reported by users without proper BIOS level with this feature
properly turned off. Therefore, this update modifies the kernel to check if the interrupt
remapping feature is enabled on these systems and to provide users with a warning
message advising them on turning off the feature and updating the BIOS.
B Z #9 1316 1
A possible race between the n_tty_read() and reset_buffer_flags() functions could result in a
NULL pointer dereference in the n_tty_read() function under certain circumstances. As a
consequence, a kernel panic could have been triggered when interrupting a current task on
a serial console. This update modifies the tty driver to use a spin lock to prevent functions
from a parallel access to variables. A NULL pointer dereference causing a kernel panic can
no longer occur in this scenario.
B Z #9 15581
Previously, running commands such as " ls" , " find" or " move" on a MultiVersion File System
(MVFS) could cause a kernel panic. This happened because the d_validate() function,
which is used for dentry validation, called the kmem_ptr_validate() function to validate a
pointer to a parent dentry. The pointer could have been freed anytime so the
kmem_ptr_validate() function could not guarantee the pointer to be dereferenced, which
could lead to a NULL pointer derefence. This update modifies d_validate() to verify the
parent-child relationship by traversing the parent dentry's list of child dentries, which
solves this problem. The kernel no longer panics in the described scenario.
184
B Z #9 219 59
When running a high thread workload of small-sized files on an XFS file system, sometimes,
the system could become unresponsive or a kernel panic could occur. This occurred
because the xfsaild daemon had a subtle code path that led to lock recursion on the xfsaild
lock when a buffer in the AIL was already locked and an attempt was made to force the log
to unlock it. This patch removes the dangerous code path and queues the log force to be
invoked from a safe locking context with respect to xfsaild. This patch also fixes the race
condition between buffer locking and buffer pinned state that exposed the original problem
by rechecking the state of the buffer after a lock failure. The system no longer hangs and
kernel no longer panics in this scenario.
B Z #9 2214 0
A race condition could occur between page table sharing and virtual memory area (VMA)
teardown. As a consequence, multiple " bad pmd" message warnings were displayed and
" kernel BUG at mm/filemap.c:129" was reported while shutting down applications that share
memory segments backed by huge pages. With this update, the VM_MAYSHARE flag is
explicitly cleaned during the unmap_hugepage_range() call under the i_mmap_lock. This
makes VMA ineligible for sharing and avoids the race condition. After using shared
segments backed by huge pages, applications like databases and caches shut down
correctly, with no crash.
B Z #9 2384 9
Previously, the NFS Lock Manager (NLM) did not resend blocking lock requests after
NFSv3 server reboot recovery. As a consequence, when an application was running on a
NFSv3 mount and requested a blocking lock, the application received an -ENOLCK error.
This patch ensures that NLM always resend blocking lock requests after the grace period
has expired.
B Z #9 24 836
A bug in the anon_vma lock in the mprotect() function could cause virtual memory area
(vma) corruption. The bug has been fixed so that virtual memory area corruption no longer
occurs in this scenario.
4 .119.3. RHBA-2012:1254 — kernel bug fix and enhancement updat e
Updated kernel packages that fix three bugs and add two enhancements are now available for Red
Hat Enterprise Linux 6 Extended Update Support.
The kernel packages contain the Linux kernel, the core of any Linux operating system.
B u g Fixes
B Z #84 6 831
Previously, the TCP socket bound to NFS server contained a stale skb_hints socket buffer.
Consequently, kernel could terminate unexpectedly. A patch has been provided to address
this issue and skb_hints is now properly cleared from the socket, thus preventing this bug.
B Z #84 704 1
On Intel systems with Pause Loop Exiting (PLE), or AMD systems with Pause Filtering (PF),
it was possible for larger multi-CPU KVM guests to experience slowdowns and soft lock-
185
ups. D ue to a boundary condition in kvm_vcpu_on_spin, all the VCPUs could try to yield to
VCPU0, causing contention on the run queue lock of the physical CPU where the guest's
VCPU0 is running. This update eliminates the boundary condition in kvm_vcpu_on_spin.
B Z #84 79 4 4
D ue to a missing return statement, the nfs_attr_use_mounted_on_file() function returned a
wrong value. As a consequence, redundant ESTALE errors could potentially be returned.
This update adds the proper return statement to nfs_attr_use_mounted_on_file(), thus
preventing this bug.
En h an cemen t s
B Z #84 7732
This update adds support for the Proportional Rate Reduction (PRR) algorithms for the
TCP protocol. This algorithm determines TCP's sending rate in fast recovery. PRR avoids
excessive window reductions and improves accuracy of the amount of data sent during
loss recovery. In addition, a number of other enhancements and bug fixes for TCP are part
of this update.
B Z #84 9 550
This update affects performance of the O_D SYNC flag on the GFS2 file system when only
data (and not metadata such as file size) has been dirtied as a result of the write() system
call. Prior to this update, write calls with O_D SYNC were behaving the same way as with
O_SYNC at all times. With this update, O_D SYNC write calls only write back data if the
inode's metadata is not dirty. This results in a considerable performance improvement for
this specific case. Note that the issue does not affect data integrity. The same issue also
applies to the pairing of the write() and fdatasync() system calls.
All users are advised to upgrade to these updated packages, which fix these bugs and add these
enhancements. The system must be rebooted for this update to take effect.
4 .119.4 . RHBA-2012:1198 — kernel bug fix updat e
Updated kernel packages that fix two bugs are now available for Red Hat Enterprise Linux 6
When an NTP server asserts the STA_INS flag (Leap Second Insert), the kernel starts an hrtimer
(high-resolution timer) with a countdown clock. This hrtimer expires at end of the current month,
midnight UTC, and inserts a second into the kernel timekeeping structures. A scheduled leap second
occurred on June 30 2012 midnight UTC.
B u g Fixes
B Z #84 09 4 9
Previously in the kernel, when the leap second hrtimer was started, it was possible that the
kernel livelocked on the xtime_lock variable. This update fixes the problem by using a
mixture of separate subsystem locks (timekeeping and ntp) and removing the xtime_lock
variable, thus avoiding the livelock scenarios that could occur in the kernel.
B Z #84 736 5
After the leap second was inserted, applications calling system calls that used futexes
186
consumed almost 100% of available CPU time. This occurred because the kernel's
timekeeping structure update did not properly update these futexes. The futexes repeatedly
expired, re-armed, and then expired immediately again. This update fixes the problem by
properly updating the futex expiration times by calling the clock_was_set_delayed()
function, an interrupt-safe method of the clock_was_set() function.
All users are advised to upgrade to these updated packages, which fix these bugs. The system must
be rebooted for this update to take effect.
4 .119.5. RHBA-2013:0184 — kernel bug fix updat e
Updated kernel packages that fix three bugs are now available for Red Hat Enterprise Linux 6
B u g Fixes
B Z #880083
Previously, the IP over Infiniband (IPoIB) driver maintained state information about
neighbors on the network by attaching it to the core network's neighbor structure. However,
due to a race condition between the freeing of the core network neighbor struct and the
freeing of the IPoIB network struct, a use after free condition could happen, resulting in
either a kernel oops or 4 or 8 bytes of kernel memory being zeroed when it was not
supposed to be. These patches decouple the IPoIB neighbor struct from the core
networking stack's neighbor struct so that there is no race between the freeing of one and
the freeing of the other.
B Z #884 4 21
Previously, the HP Smart Array, or hpsa, driver used target reset. However, HP Smart Array
logical drives do not support target reset. Therefore, if the target reset failed, the logical
drive was taken offline with a file system error. The hpsa driver has been updated to use
LUN reset instead of target reset, which is supported by these drives.
B Z #89 156 3
Previously, the xdr routines in NFS version 2 and 3 conditionally updated the res->count
variable. Read retry attempts after a short NFS read() call could fail to update the res>count variable, resulting in truncated read data being returned. With this update, the res>count variable is updated unconditionally, thus preventing this bug.
Users should upgrade to these updated packages, which contain backported patches to fix these
bugs. The system must be rebooted for this update to take effect.
4 .119.6. RHSA-2011:1530 — Moderat e: Red Hat Ent erprise Linux 6.2 kernel
securit y, bug fix, and enhancement updat e
Updated kernel packages that fix multiple security issues, address several hundred bugs, and add
numerous enhancements are now available as part of the ongoing support and maintenance of Red
Hat Enterprise Linux version 6. This is the second regular update.
187
Secu rit y Fixes
C VE- 2011- 1020, Mo d erat e
The proc file system could allow a local, unprivileged user to obtain sensitive information or
possibly cause integrity issues.
C VE- 2011- 334 7, Mo d erat e
Non-member VLAN (virtual LAN) packet handling for interfaces in promiscuous mode and
also using the be2net driver could allow an attacker on the local network to cause a denial
of service.
C VE- 2011- 36 38, Mo d erat e
A flaw was found in the Linux kernel in the way splitting two extents in
ext4 _ext_co nvert_to _i ni ti al i zed () worked. A local, unprivileged user with access
to mount and unmount ext4 file systems could use this flaw to cause a denial of service.
C VE- 2011- 4 110, Mo d erat e
A NULL pointer dereference flaw was found in the way the Linux kernel's key management
facility handled user-defined key types. A local, unprivileged user could use the keyctl utility
to cause a denial of service.
Red Hat would like to thank Kees Cook for reporting CVE-2011-1020; Somnath Kotur for reporting
CVE-2011-3347; and Z heng Liu for reporting CVE-2011-3638.
B u g Fixes
B Z #7136 82
When a host was in recovery mode and a SCSI scan operation was initiated, the scan
operation failed and provided no error output. This bug has been fixed and the SCSI layer
now waits for recovery of the host to complete scan operations for devices.
B Z #712139
In a GFS2 file system, when the responsibility for deallocation was passed from one node
to another, the receiving node may not have had a fully up-to-date inode state. If the
sending node has changed the important parts of the state in the mean time (block
allocation/deallocation) then this resulted in triggering an assert during the deallocation on
the receiving node. With this update, the inode state is refreshed correctly during
deallocation on the receiving node, ensuring that deallocation proceeds normally.
B Z #712131
Issues for which a host had older hypervisor code running on newer hardware, which
exposed the new CPU features to the guests, were discovered. This was dangerous
because newer guest kernels (such as Red Hat Enterprise Linux 6) may have attempted to
use those features or assume certain machine behaviors that it would not be able to
process because it was, in fact, a Xen guest. One such place was the intel_idle driver which
attempts to use the MWAIT and MONITOR instructions. These instructions are invalid
operations for a Xen PV guest. This update provides a patch, which masks the MWAIT
instruction to avoid this issue.
B Z #712102
The 128-bit multiply operation in the pvclock.h function was missing an output constraint
188
for ED X which caused a register corruption to appear. As a result, Red Hat Enterprise Linux
3.8 and Red Hat Enterprise Linux 3.9 KVM guests with a Red Hat Enterprise Linux 6.1 KVM
host kernel exhibited time inconsistencies. With this update, the underlying source code
has been modified to address this issue, and time runs as expected on the aforementioned
systems.
B Z #712000
Prior to this update, the following message appeared in kernel log files:
[bnx2x_extract_max_cfg:1079(eth11)]Illegal configuration detected
for Max BW - using 100 instead
The above message appeared on bnx2x interfaces in the multi-function mode which were
not used and had no link, thus, not indicating any actual problems with connectivity. With
this update, the message has been removed and no longer appears in kernel log files.
B Z #713730
Previously, some enclosure devices with a broken firmware reported incorrect values. As a
consequence, kernel sometimes terminated unexpectedly. A patch has been provided to
address this issue, and the kernel crashes no longer occur even if an enclosure device
reports incorrect or duplicate data.
B Z #709 856
Xen guests cannot make use of all CPU features, and in some cases they are even risky to
be advertised. One such feature is CONSTANT_TSC. This feature prevents the TSC (Time
Stamp Counter) from being marked as unstable, which allows the sched_clock_stable
option to be enabled. Having the sched_clock_stable option enabled is problematic for Xen
PV guests because the sched_clock() function has been overridden with the
xen_sched_clock() function, which is not synchronized between virtual CPUs. This update
provides a patch, which sets all x86_power features to 0 as a preventive measure against
other potentially dangerous assumptions the kernel could make based on the features,
fixing this issue.
B Z #6 23712
RHEL6.2 backported the scalability improvement on creating many 'cpu' control groups
(cgroups) on a system with a large number of CPUs. The creation process for large number
of cgroups will no longer hog the machine when the control groups feature is enabled.
In addition to the scalability improvement, a /proc tunable parameter, dd
sysctl_sched_shares_window, has been added, and the default is set to 10 ms.
B Z #719 304
Older versions of be2net cards firmware may not recognize certain commands and return
illegal/unsupported errors, causing confusing error messages to appear in the logs. With
this update, the driver handles these errors gracefully and does not log them.
B Z #7224 6 1
On IBM System z, if a Linux instance with large amounts of anonymous memory runs into a
memory shortage the first time, all pages on the active or inactive lists are considered
referenced. This causes the memory management on IBM System z to do a full check over
all page cache pages and start writeback for all of them. As a consequence, the system
189
became temporarily unresponsive when the described situation occurred. With this update,
only pages with active mappers are checked and the page scan now does not cause the
hangs.
B Z #72259 6
This update fixes the inability of the be2net driver to work in a kdump environment. It clears
an interrupt bit (in the card) that may be set while the driver is probed by the kdump kernel
after a crash.
B Z #7054 4 1
A previously introduced update intended to prevent IOMMU (I/O Memory Management Unit)
domain exhaustion introduced two regressions. The first regression was a race where a
domain pointer could be freed while a lazy flush algorithm still had a reference to it,
eventually causing kernel panic. The second regression was an erroneous reference
removal for identity mapped and VM IOMMU domains, causing I/O errors. Both of these
regressions could only be triggered on Intel based platforms, supporting VT-d, booted with
the intel_iommu=on boot option. With this update, the underlying source code of the inteliommu driver has been modified to resolve both of these problems. A forced flush is now
used to avoid the lazy use after free issue, and extra checks have been added to avoid the
erroneous reference removal.
B Z #6 3559 6
This update fixes two bugs related to Rx checksum offloading. These bugs caused a data
corruption transferred over r8169 NIC when Rx checksum offloading was enabled.
B Z #704 4 01
Prior to this update, kdump failed to create a vmcore file after triggering a crash on
POWER7 systems with D ynamic D MA Windows enabled. This update provides a number of
fixes that address this issue.
B Z #7039 35
Previously, auditing system calls used a simple check to determine whether a return value
was positive or negative, which also determined the success of the system call. With an
exception of few, this worked on most platforms and with most system calls. For example,
the 32 bit mmap system call on the AMD 64 architecture could return a pointer which
appeared to be of value negative even though pointers are normally of unsigned values.
This resulted in the success field being incorrect. This patch fixes the success field for all
system calls on all architectures.
B Z #70324 5
When VLANs stacked on top of multiqueue devices passed through these devices, the
queue_mapping value was not properly decremented because the VLAN devices called the
physical devices via the ndo_select_queue method. This update removes the multiqueue
functionality, resolving this issue.
B Z #703055
Prior to this update, Red Hat Enterprise Linux Xen (up to version 5.6) did not hide 1 GB
pages and RD TSCP (enumeration features of CPUID ), causing guest soft lock ups on AMD
hosts when the guest's memory was greater than 8 GB. With this update, a Red Hat
Enterprise Linux 6 HVM (Hardware Virtual Machine) guest is able to run on Red Hat
Enterprise Linux Xen 5.6 and lower.
190
B Z #70274 2
Prior to this update, code was missing from the netif_set_real_num_tx_queues() function
which prevented an increment of the real number of TX queues (the real_num_tx_queues
value). This update adds the missing code; thus, resolving this issue.
B Z #725711
Previously, the inet6_sk_generic() function was using the obj_size variable to compute the
address of its inner structure, causing memory corruption. With this update, the
sk_alloc_size() is called every time there is a request for allocation, and memory corruption
no longer occurs.
B Z #702057
Multiple GFS2 nodes attempted to unlink, rename, or manipulate files at the same time,
causing various forms of file system corruption, panics, and withdraws. This update adds
multiple checks for dinode's i_nlink value to assure inode operations such as link, unlink,
or rename no longer cause the aforementioned problems.
B Z #7019 51
A kernel panic in the mpt2sas driver could occur on an IBM system using a drive with
SMART (Self-Monitoring, Analysis and Reporting Technology) issues. This was because
the driver was sending an SEP request while the kernel was in the interrupt context, causing
the driver to enter the sleep state. With this update, a fake event is not executed from the
interrupt context, assuring the SEP request is properly issued.
B Z #700538
When using certain SELinux policies, such as the MLS policy, it was not possible to
properly mount the cgroupfs file system due to the way security checks were applied to the
new cgroupfs inodes during the mount operation. With this update, the security checks
applied during the mount operation have been changed so that they always succeed, and
the cgroupfs file system can now be successfully mounted and used with the MLS SELinux
policy. This issue did not affect systems which used the default targeted policy.
B Z #729 220
When a SCTP (Stream Control Transmission Protocol) packet contained two
COOKIE_ECHO chunks and nothing else, the SCTP state machine disabled output
processing for the socket while processing the first COOKIE_ECHO chunk, then lost the
association and forgot to re-enable output processing for the socket. As a consequence,
any data which needed to be sent to a peer were blocked and the socket appeared to be
unresponsive. With this update, a new SCTP command has been added to the kernel code,
which sets the association explicitly; the command is used when processing the second
COOKIE_ECHO chunk to restore the context for SCTP state machine, thus fixing this bug.
B Z #6 9 826 8
The hpsa driver has been updated to provide a fix for hpsa driver kdump failures.
B Z #6 9 6 777
Prior to this update, interrupts were enabled before the dispatch log for the boot CPU was
set up, causing kernel panic if a timer interrupt occurred before the log was set up. This
update adds a check to the scan_dispatch_log function to ensure the dispatch log has
been allocated.
B Z #6 9 6 754
191
Prior to this update, the interrupt service routine was performing unnecessary MMIO
operation during performance testing on IBM POWER7 machines. With this update, the
logic of the routine has been modified so that there are fewer MMIO operations in the
performance path of the code. Additionally, as a result of the aforementioned change, an
existing condition was exposed where the IPR driver (the controller device driver) could
return an unexpected HRRQ (Host Receive Request) interrupt. The original code flagged the
interrupt as unexpected and then reset the adapter. After further analysis, it was confirmed
that this condition could occasionally occur and the interrupt can be safely ignored.
Additional code provided by this update detects this condition, clears the interrupt, and
allows the driver to continue without resetting the adapter.
B Z #732706
The ACPI (Advanced Control and Power Interface) core places all events to the kacpi_notify
queue including PCI hotplug events. When the acpiphp driver was loaded and a PCI card
with a PCI-to-PCI bridge was removed from the system, the code path attempted to empty the
kacpi_notify queue which causes a deadlock, and the kacpi_notify thread became
unresponsive. With this update, the call sequence has been fixed, and the bridge is now
cleaned-up properly in the described scenario.
B Z #6 6 9 36 3
Prior to this update, the /proc/diskstats file showed erroneous values. This occurred when
the kernel merged two I/O operations for adjacent sectors which were located on different
disk partitions. Two merge requests were submitted for the adjacent sectors, the first request
for the second partition and the second request for the first partition, which was then
merged to the first request. The first submission of the merge request incremented the
in_flight value for the second partition. However, at the completion of the merge request, the
in_flight value of a different partition (the first one) was decremented. This resulted in the
erroneous values displayed in the /proc/diskstats file. With this update, the merging of two
I/O operations which are located on different disk partitions has been fixed and works as
expected.
B Z #6 7076 5
D ue to an uninitialized variable (specifically, the isr_ack variable), a virtual guest could
become unresponsive when migrated while being rebooted. With this update, the said
variable is properly initialized, and virtual guests no longer hang in the aforementioned
scenario.
B Z #6 9 5231
Prior to this update, the be2net driver was using the BE3 chipset in legacy mode. This
update enables this chipset to work in a native mode, making it possible to use all 4 ports
on a 4-port integrated NIC.
B Z #6 9 4 74 7
A Windows Server 2008 32-bit guest installation failed on a Red Hat Enterprise Linux 6.1
Snap2 KVM host when allocating more than one virtual CPU (vcpus > 1) during the
installation. As soon the installation started after booting from ISO, a blue screen with the
following error occurred:
A problem has been detected and windows has been shut down to
prevent damage to your computer.
This was because a valid microcode update signature was not reported to the guest. This
update fixes this issue by reporting a non-zero microcode update signature to the guest.
192
B Z #6 79 526
D isk read operations on a memory constrained system could cause allocations to stall. As
a result, the system performance would drop considerably. With this update, latencies seen
in page reclaim operations have been reduced and their efficiency improved; thus, fixing
this issue.
B Z #736 6 6 7
A workaround to the megaraid_sas driver was provided to address an issue but as a side
effect of the workaround, megaraid_sas stopped to report certain enclosures, CD -ROM
drives, and other devices. The underlying problem for the issue has been fixed as reported
in BZ #741166. With this update, the original workaround has been reverted, and
megaraid_sas now reports many different devices as before.
B Z #6 9 4 210
This update fixes a regression in which a client would use an UNCHECKED NFS CREATE
call when an open system call was attempted with the O_EXCL|O_CREAT flag combination.
An EXCLUSIVE NFS CREATE call should have been used instead to ensure that O_EXCL
semantics were preserved. As a result, an application could be led to believe that it had
created the file when it was in fact created by another application.
B Z #6 9 216 7
A race between the FSFREEZ E ioctl() command to freeze an ext4 file system and mmap I/O
operations would result in a deadlock if these two operations ran simultaneously. This
update provides a number of patches to address this issue, and a deadlock no longer
occurs in the previously-described scenario.
B Z #7126 53
When a CPU is about to modify data protected by the RCU (Read Copy Update)
mechanism, it has to wait for other CPUs in the system to pass a quiescent state.
Previously, the guest mode was not considered a quiescent state. As a consequence, if a
CPU was in the guest mode for a long time, another CPU had to wait a long time in order to
modify RCU-protected data. With this update, the rcu_virt_note_context_switch() function,
which marks the guest mode as a quiescent state, has been added to the kernel, thus
resolving this issue.
B Z #6 836 58
The patch that fixed BZ #556572 introduced a bug where the page lock was being released
too soon, allowing the do_wp_page function to reuse the wrprotected page before PageKsm
would be set in page->mapping. With this update, a new version of the original fix was
introduced, thus fixing this issue.
B Z #738110
D ue to the partial support of IPv6 multicast snooping, IPv6 multicast packets may have
been dropped. This update fixes IPv6 multicast snooping so that packets are no longer
dropped.
B Z #6 9 1310
While executing a multi-threaded process by multiple CPUs, page-directory-pointer-table
entry (PD PTE) registers were not fully flushed from the CPU cache when a Page Global
D irectory (PGD ) entry was changed in x86 Physical Address Extension (PAE) mode. As a
consequence, the process failed to respond for a long time before it successfully finished.
With this update, the kernel has been modified to flush the Translation Lookaside Buffer
193
(TLB) for each CPU using a page table that has changed. Multi-threaded processes now
finish without hanging.
B Z #738379
When a kernel NFS server was being stopped, kernel sometimes terminated unexpectedly. A
bug has been fixed in the wait_for_completion_interruptible_timeout() function and the
crashes no longer occur in the described scenario.
B Z #6 9 074 5
Recent Red Hat Enterprise Linux 6 releases use a new naming scheme for network
interfaces on some machines. As a result, the installer may use different names during an
upgrade in certain scenarios (typically em1 is used instead of eth0 on new D ell machines).
However, the previously used network interface names are preserved on the system and the
upgraded system will still use the previously used interfaces. This is not the case for Yum
upgrades.
B Z #74 04 6 5
A scenario for this bug involves two hosts, configured to use IPv4 network, and two guests,
configured to use IPv6 network. When a guest on host A attempted to send a large UD P
datagram to host B, host A terminated unexpectedly. With this update, the
ipv6_select_ident() function has been fixed to accept the in6_addr parameter and to use the
destination address in IPv6 header when no route is attached, and the crashes no longer
occur in the described scenario.
B Z #6 9 389 4
Migration of a Windows XP virtual guest during the early stage of a boot caused the virtual
guest OS to fail to boot correctly. With this update, the underlying source code has been
modified to address this issue, and the virtual guest OS no longer fails to boot.
B Z #6 9 4 358
This update adds a missing patch to the ixgbe driver to use the kernel's generic routine to
set and obtain the D CB (D ata Center Bridging) priority. Without this fix, applications could
not properly query the D CB priority.
B Z #6 79 26 2
In Red Hat Enterprise Linux 6.2, due to security concerns, addresses in /proc/kallsyms and
/proc/modules show all zeros when accessed by a non-root user.
B Z #6 9 5859
Red Hat Enterprise Linux 6.0 and 6.1 defaulted to running UEFI systems in a physical
addressing mode. Red Hat Enterprise Linux 6.2 defaults to running UEFI systems in a
virtual addressing mode. The previous behavior may be obtained by passing the physefi
kernel parameter.
B Z #6 9 59 6 6
After receiving an ABTS response, the FCoE (Fibre Channel over Ethernet) D D P error status
was cleared. As a result, the FCoE D D P context invalidation was incorrectly bypassed and
caused memory corruption. With this update, the underlying source code has been
modified to address this issue, and memory corruption no longer occurs.
B Z #6 9 6 511
194
Suspending a system to RAM and consequently resuming it caused USB3.0 ports to not
work properly. This was because a USB3.0 device configured for MSIX would, during the
resume operation, incorrectly read its previous interrupt state. This would lead it to fall back
to a legacy mode and appear unresponsive. With this update, the interrupt state is cached,
allowing the driver to properly resume its previous state.
B Z #6 6 26 6 6
D eleting the lost+found directory on a file system with inodes of size greater than 128 bytes
and reusing inode 11 for a different file caused the extended attributes for inode 11 (which
were set before a umount operation) to not be saved after a file system remount. As a result,
the extended attributes were lost after the remount. With this update, inodes store their
extended attributes under all circumstances.
B Z #6 9 8023
Prior to this update, in the __cache_alloc() function, the ac variable could be changed after
cache_alloc_refill() and the following kmemleak_erase() function could receive an incorrect
pointer, causing kernel panic. With this update, the ac variable is updated after the
cache_alloc_refill() unconditionally.
B Z #6 9 86 25
This update includes two fixes for the bna driver, specifically:
A memory leak was caused by an unintentional assignment of the NULL value to the RX
path destroy callback function pointer after a correct initialization.
D uring a kernel crash, the bna driver control path state machine and firmware did not
receive a notification of the crash, and, as a result, were not shut down cleanly.
B Z #70016 5
When an event caused the ibmvscsi driver to reset its CRQ, re-registering the CRQ returned
H_CLOSED , indicating that the Virtual I/O Server was not ready to receive commands. As a
consequence, the ibmvscsi driver offlined the adapter and did not recover. With this update,
the interrupt is re-enabled after the reset so that when the Virtual I/O server is ready and
sends a CRQ init, it is able to receive it and resume initialization of the VSCSI adapter.
B Z #70029 9
This update standardizes the printed format of UUID s (Universally Unique Identifier)/GUID s
(Globally Unique Identifier) by using an additional extension to the % p format specifier
(which is used to show the memory address value of a pointer).
B Z #702036
Prior to this update, the ehea driver caused a kernel oops during a memory hotplug if the
ports were not up. With this update, the waitqueues are initialized during the port probe
operation, instead of during the port open operation.
B Z #70226 3
While running gfs2_grow, the file system became unresponsive. This was due to the log not
getting flushed when a node dropped its rindex glock so that another node could grow the
file system. If the log did not get flushed, GFS2 could corrupt the sd_log_le_rg list, ultimately
causing a hang. With this update, a log flush is forced when the rindex glock is invalidated;
gfs2_grow completes as expected and the file system remains accessible.
B Z #703251
195
The Brocade BFA FC/FCoE driver was previously selectively marked as a Technology
Preview based on the type of the adapter. With this update, the Brocade BFA FC/FCoE
driver is always marked as a Technology Preview.
B Z #70326 5
The Brocade BFA FC SCSI driver (bfa driver) has been upgraded to version 2.3.2.4.
Additionally, this update provides the following two fixes:
A firmware download memory leak was caused by the release_firmware() function not
being called after the request_firmware() function. Similarly, the firmware download
interface has been fixed and now works as expected.
D uring a kernel crash, the bfa I/O control state machine and firmware did not receive a
notification of the crash, and, as a result, were not shut down cleanly.
B Z #704 231
A previously released patch for BZ #625487 introduced a kABI (Kernel Application Binary
Interface) workaround that extended struct sock (the network layer representation of
sockets) by putting the extension structure in the memory right after the original structure.
As a result, the prot->obj_size pointer had to be adjusted in the proto_register function.
Prior to this update, the adjustment was done only if the alloc_slab parameter of the
proto_register function was not 0. When the alloc_slab parameter was 0, drivers performed
allocations themselves using sk_alloc and as the allocated memory was lower than
needed, a memory corruption could occur. With this update, the underlying source code
has been modified to address this issue, and a memory corruption no longer occurs.
B Z #705082
A scalability issue with KVM/QEMU was discovered in the idr_lock spinlock in the posixtimers code, resulting in excessive CPU resource usage. With this update, the underlying
source code has been modified to address this issue, and the aforementioned spinlock no
longer uses excessive amounts of CPU resources.
B Z #7236 50
When a NFS server returned more than two GETATTR bitmap words in response to the
FATTR4_ACL attribute request, decoding operations of the nfs4_getfacl() function failed. A
patch has been provided to address this issue and the ACLs are now returned in the
described scenario.
B Z #70726 8
After hot plugging one of the disks of a non-boot 2-disk RAID 1 pair, the md driver would
enter an infinite resync loop thinking there was a spare disk available, when, in fact, there
was none. This update adds an additional check to detect the previously mentioned
situation; thus, fixing this issue.
B Z #707757
The default for CFQ's group_isolation variable has been changed from 0 to 1
(/sys/block/<device>/queue/iosched/group_isolation). After various testing and numerous
user reports, it was found that having default 1 is more useful. When set to 0, all random I/O
queues become part of the root cgroup and not the actual cgroup which the application is
part of. Consequently, this leads to no service differentiation for applications.
B Z #6 9 19 4 5
In error recovery, most SCSI error recovery stages send a TUR (Test Unit Ready) command
196
for every bad command when a driver error handler reports success. When several bad
commands pointed to a same device, the device was probed multiple times. When the
device was in a state where the device did not respond to commands even after a recovery
function returned success, the error handler had to wait for the commands to time out. This
significantly impeded the recovery process. With this update, SCSI mid-layer error routines
to send test commands have been fixed to respond once per device instead of once per bad
command, thus reducing error recovery time considerably.
B Z #6 9 6 39 6
Prior to this update, loading the FS-Cache kernel module would cause the kernel to be
tainted as a Technology Preview via the mark_tech_preview() function, which would cause
kernel lock debugging to be disabled by the add_taint() function. However, the NFS and
CIFS modules depend on the FS-Cache module so using either NFS or CIFS would cause
the FS-Cache module to be loaded and the kernel tainted. With this update, FS-Cache only
taints the kernel when a cache is brought online (for instance by starting the cachefilesd
service) and, additionally, the add_taint() function has been modified so that it does not
disable lock debugging for informational-only taints.
B Z #703728
This update removes temporary and unneeded files that were previously included with the
kernel source code.
B Z #6 32802
Previously removed flushing of MMU updates in the kmap_atomic() and kunmap_atomic()
functions resulted in a dereference bug when processing a fork() under a heavy load. This
update fixes page table entries in the kmap_atomic() and kunmap_atomic() functions to be
synchronous, regardless of the lazy_mmu mode, thus fixing this issue.
B Z #74 6 570
Previously fixed ABI issues in Red Hat Enterprise Linux 6.2 resulted in broken drivers that
were built against the Red Hat Enterprise Linux 6.1 sources. This update adds padding to
the net_device private structure so that the overruns resulting from an excessively-long
pointer computed in the netdev_priv structure do not exceed the bounds of allocated
memory.
B Z #737753
A previously introduced patch increased the value of the cpuid field from 8 to 16 bits. As a
result, in some cases, modules built against the Red Hat Enterprise Linux 6.0 kernel source
panicked when loaded into the new Red Hat Enterprise Linux 6.2 kernel. This update
provides a patch which fixes this guaranteed backwards compatibility.
B Z #74 5253
KABI issues with additional fields in the " uv_blade_info" structure were discovered that
prevented existing SGI modules from loading against the Red Hat Enterprise Linux 6.2
kernel. This update fixes the code in the " uv_blade_info" structure, and SGI modules load
against the Red Hat Enterprise Linux 6.2 kernel as expected.
B Z #74 8503
Incorrect duplicate MAC addresses were being used on a rack network daughter card that
contained a quad-port Intel I350 Gigabit Ethernet Controller. With this update, the
underlying source code has been modified to address this issue, and correct MAC
addresses are now used under all circumstances.
197
addresses are now used under all circumstances.
B Z #7286 76
Prior to this update, on certain HP systems, the hpsa and cciss drivers could become
unresponsive and cause the system to crash when booting due to an attempt to read from a
write-only register. This update fixes this issue, and the aforementioned crashes no longer
occur.
B Z #6 9 39 30
The cxgb4 driver never waited for RD MA_WR/FINI completions because the condition
variable used to determine whether the completion happened was never reset, and this
condition variable was reused for both connection setup and teardown. This caused
various driver crashes under heavy loads because resources were released too early. With
this update, atomic bits are used to correctly reset the condition immediately after the
completion is detected.
B Z #7104 9 7
If a Virtual I/O server failed in a dual virtual I/O server multipath configuration, not all remote
ports were deleted, causing path failover to not work properly. With this update, all remote
ports are deleted so that path failover works as expected. For a single path configuration,
the remote ports will enter the devloss state.
B Z #71386 8
When using the " crashkernel=auto" parameter and the " crashk_res.start" variable was set
to 0, the existing logic automatically set the value of the " crashk_res.start" variable to 32M.
However, to keep enough space in the RMO region for the first stage kernel on 64-bit
PowerPC, the " crashk_res.start" should have been set to KD UMP_KERNELBASE (64M).
This update fixes this issue and properly assigns the correct value to the " crashk_res.start"
variable.
B Z #74 39 59
D ue to a delay in settling of the usb-storage driver, the kernel failed to report all the disk
drive devices in time to Anaconda, when booted in Unified Extensible Firmware Interface
(UEFI) mode. Consequently, Anaconda presumed that no driver disks were available and
loaded the standard drivers. With this update, both Anaconda and the driver use a one
second delay, all devices are enumerated and inspected for driver disks properly.
B Z #6 9 0129
Prior to this update, the remap_file_pages() call was disabled for mappings without the
VM_CAN_NONLINEAR flag set. Shared mappings of temporary file storage facilities (tmpfs)
had this flag set but the flag was not set for the shared mappings of the /dev/zero device or
shared anonymous mappings. With this update, the code has been modified and the
VM_CAN_NONLINEAR flag is set also on the shared mappings of the /dev/zero device and
shared anonymous mappings.
B Z #6 9 4 309
The NFS client iterates through individual elements of a vector and issues a write request
for each element to the server when the writev() function is called on a file opened with the
O_D IRECT flag. Consequently, the server commits each individual write to the disk before
replying to the client and the request transfer for the NFS client to the NFS server causes
performance problems. With this update, the larger I/Os from the client are submitted only if
all buffers are page-aligned, each individual vector element is aligned and has multiple
pages, and the total I/O size is less than wsize (write block size).
198
B Z #6 9 9 04 2
Improper shutdown in the e1000e driver caused a client with Intel 82578D M Gigabit
Ethernet PHY to ignore the Wake-on-LAN signal and attempt to boot the client failed. This
update applies the upstream Intel patch which fixes the problem.
B Z #703357
The " ifconfig up" command allocates memory for D irect Memory Access (D MA) operations.
The memory is released when the " ifconfig down" command is issued. Previously, if another
" ifconfig up" command was issued after an ifconfig up/down session, it re-enabled the D MA
operations before sending the new D MA memory address to the NIC and the NIC could
access the D MA address allocated during the previous ifconfig up/down session. However,
the D MA address was already freed and could be used by another process. With this
update, the underlying code has been modified and the problem no longer occurs.
B Z #729 737
The in-process I/O operations of the Chelsio iWARP (cxgb3) driver could attempt to access
a control data structure, which was previously freed after a hardware error that disabled the
offload functionality occurred. This caused the system to terminate unexpectedly. With this
update, the driver delays the freeing of the data structure and the problem no longer occurs.
B Z #734 509
Previously, the capabilities flag of the WHEA_OSC call was set to 0. This could cause
certain machines to disable APEI (ACPI Platform Error Interface). The flag is now set to 1,
which enables APEI and fixes the problem.
B Z #74 84 4 1
Previously, the origin device was being read when overwriting a complete chunk in the
snapshot. This led to a significant memory leak when using the dm-snapshot module. With
this update, reading of the origin device is skipped, and the memory leak no longer occurs.
B Z #750208
When the user attempted to list the mounted GFS2 file systems, a kernel panic occurred.
This happened if the file in the location which the user tried to list was at the same time
being manipulated by using the " fallocate" command. With this update, page cache is no
longer used; the block is zeroed out at allocation time instead. Now, a kernel panic no
longer occurs.
B Z #74 9 018
The queuecommand error-handling function could cause memory leaks or prevent the TUR
command from finishing for SCSI device drivers that enabled the support for lockless
dispatching (lockless=1). This happened because the device driver did not call the
scsi_cmd_get_serial() function and the serial_number property of the command remained
zero. Consequently, the SCSI command could not be finished or aborted as the errorhandling function always returned success for " serial_number == 0" . The check for the
serial number has been removed and the SCSI command can be finished or aborted.
B Z #750583
A previous patch for the Ironlake graphics controller and memory controller hub (GMCH)
with a workaround for Virtualization Technology for D irected I/O (VT-d) introduced
recursive calls to the unmap() function. With this update, a flag, which prevents the
recursion, was added to the call chain, which allows the called routines to prevent the
recursion.
199
Enhance m e nt s
Note
For more information on the most important of the RHEL 6.2 kernel enhancements, refer to the
Red Hat Enterprise Linux 6.2 Release Notes.
B Z #707287
This update introduces a kernel module option that allows the disabling of the Flow
D irector.
B Z #706 16 7
This update adds XTS (XEX-based Tweaked CodeBook) AES256 self-tests to meet the
FIPS-140 requirements.
B Z #6 359 6 8
This update introduces parallel port printer support for Red Hat Enterprise Linux 6.
B Z #6 9 9 86 5
This update reduces the overhead of probes provided by kprobe (a dynamic
instrumentation system), and enhances the performance of SystemTap.
B Z #6 9 6 6 9 5
With this update, the JSM driver has been updated to support for enabling the Bell2 (with
PLX chip) 2-port adapter on POWER7 systems. Additionally, EEH support has been added
for to JSM driver.
B Z #6 6 9 739
Memory limit for x86_64 domU PV guests has been increased to 128 GB:
CONFIG_XEN_MAX_D OMAIN_MEMORY=128.
B Z #6 6 2208
In Red Hat Enterprise Linux 6.2, the taskstat utility (which prints ASET tasks status) in the
kernel has been enhanced by the providing microsecond CPU time granularity to the top
utility.
B Z #70836 5
Red Hat Enterprise Linux 6.2 introduced the multi-message send syscall, which is the send
version of the existing recvmmsg syscall in Red Hat Enterprise Linux 6.
The following is the syscall sendmmsg socket API:
struct mmsghdr {
struct msghdr msg_hdr;
unsigned msg_len;
};
200
ssize_t sendmmsg(int socket, struct mmsghdr *datagrams, int vlen,
int flags);
B Z #6 4 7700
Red Hat Enterprise Linux 6.2's ED AC driver support for the latest Intel chipset is available
as a Technical Preview.
B Z #59 9 054
In Red Hat Enterprise Linux 6.2, the ipset feature in the kernel is added to store multiple IP
addresses or port numbers, and match against the collection by iptables.
these issues, fix these bugs, and add these enhancement. The system must be rebooted for this
Updated kernel packages that fix one security issue and various bugs are now available for Red Hat
Enterprise Linux 6.
Secu rit y Fix
C VE- 2011- 4 127, Imp o rt an t
Using the SG_IO IOCTL to issue SCSI requests to partitions or LVM volumes resulted in the
requests being passed to the underlying block device. If a privileged user only had access
to a single partition or LVM volume, they could use this flaw to bypass those restrictions
and gain read and write access (and be able to issue other SCSI commands) to the entire
block device.
In KVM (Kernel-based Virtual Machine) environments using raw format virtio disks backed
by a partition or LVM volume, a privileged guest user could bypass intended restrictions
and issue read and write requests (and other SCSI commands) on the host, and possibly
access the data of other guests that reside on the same underlying block device. Partitionbased and LVM-based storage pools are not used by default. Refer to Red Hat Bugzilla bug
752375 for further details and a mitigation script for users who cannot apply this update
immediately.
B u g Fixes
B Z #7504 59
Previously, idle load balancer kick requests from other CPUs could be serviced without first
receiving an inter-processor interrupt (IPI). This could have led to a deadlock.
B Z #7514 03
This update fixes a performance regression that may have caused processes (including
KVM guests) to hang for a number of seconds.
201
B Z #75554 5
When md_raid1_unplug_device() was called while holding a spinlock, under certain device
failure conditions, it was possible for the lock to be requested again, deeper in the call
chain, causing a deadlock. Now, md_raid1_unplug_device() is no longer called while
holding a spinlock.
B Z #756 4 26
In hpet_next_event(), an interrupt could have occurred between the read and write of the
HPET (High Performance Event Timer) and the value of HPET_COUNTER was then beyond
that being written to the comparator (HPET_Tn_CMP). Consequently, the timers were
overdue for up to several minutes. Now, a comparison is performed between the value of the
counter and the comparator in the HPET code. If the counter is beyond the comparator, the
" -ETIME" error code is returned.
B Z #756 4 27
Index allocation in the virtio-blk module was based on a monotonically increasing variable
" index" . Consequently, released indexes were not reused and after a period of time, no new
were available. Now, virtio-blk uses the ida API to allocate indexes.
B Z #7576 71
A bug related to Context Caching existed in the Intel IOMMU support module. On some
newer Intel systems, the Context Cache mode has changed from previous hardware
versions, potentially exposing a Context coherency race. The bug was exposed when
performing a series of hot plug and unplug operations of a Virtual Function network device
which was immediately configured into the network stack, i.e., successfully performed
dynamic host configuration protocol (D HCP). When the coherency race occurred, the
assigned device would not work properly in the guest virtual machine. With this update, the
Context coherency is corrected and the race and potentially resulting device assignment
failure no longer occurs.
B Z #758028
The align_va_addr kernel parameter was ignored if secondary CPUs were initialized. This
happened because the parameter settings were overridden during the initialization of
secondary CPUs. Also, the align_va_addr parameter documentation contained incorrect
parameter arguments. With this update, the underlying code has been modified to prevent
the overriding and the documentation has been updated. This update also removes the
unused code introduced by the patch for BZ #739456.
B Z #758513
D ell systems based on a future Intel processor with graphics acceleration required the
selection of the install system with basic video driver installation option. This update
removes this requirement.
Updated kernel packages that fix one security issue and various bugs are now available for Red Hat
Enterprise Linux 6.
202
Secu rit y Fix
C VE- 2012- 0056 , Imp o rt an t
It was found that permissions were not checked properly in the Linux kernel when handling
the /proc/[pid]/mem writing functionality. A local, unprivileged user could use this flaw to
escalate their privileges. Refer to Red Hat Knowledgebase article 69124 for further
information.
Red Hat would like to thank Jüri Aedla for reporting this issue.
B u g Fixes
B Z #76 8288
The RHSA-2011:1849 kernel update introduced a bug in the Linux kernel scheduler,
causing a " WARNING: at kernel/sched.c:5915 thread_return" message and a call trace to
be logged. This message was harmless, and was not due to any system malfunctions or
adverse behavior. With this update, the WARN_ON_ONCE() call in the scheduler that
caused this harmless message has been removed.
B Z #76 9 59 5
The RHSA-2011:1530 kernel update introduced a regression in the way the Linux kernel
maps ELF headers for kernel modules into kernel memory. If a third-party kernel module is
compiled on a Red Hat Enterprise Linux system with a kernel prior to RHSA-2011:1530, then
loading that module on a system with RHSA-2011:1530 kernel would result in corruption of
one byte in the memory reserved for the module. In some cases, this could prevent the
module from functioning correctly.
75586 7
On some SMP systems the tsc may erroneously be marked as unstable during early system
boot or while the system is under heavy load. A " Clocksource tsc unstable" message was
logged when this occurred. As a result the system would switch to the slower access, but
higher precision HPET clock.
The " tsc=reliable" kernel parameter is supposed to avoid this problem by indicating that the
system has a known good clock, however, the parameter only affected run time checks. A fix
has been put in to avoid the boot time checks so that the TSC remains as the clock for the
duration of system runtime.
4 .119.9. RHSA-2012:0350 — Moderat e: kernel securit y and bug fix updat e
Updated kernel packages that fix several security issues and bugs are now available for Red Hat
Enterprise Linux 6.
203
Secu rit y Fixes
C VE- 2011- 4 077, Mo d erat e
A buffer overflow flaw was found in the way the Linux kernel's XFS file system
implementation handled links with overly long path names. A local, unprivileged user could
use this flaw to cause a denial of service or escalate their privileges by mounting a
specially-crafted disk.
C VE- 2011- 4 081, Mo d erat e
Flaws in ghash_update() and ghash_final() could allow a local, unprivileged user to cause
a denial of service.
C VE- 2011- 4 132, Mo d erat e
A flaw was found in the Linux kernel's Journaling Block D evice (JBD ). A local, unprivileged
user could use this flaw to crash the system by mounting a specially-crafted ext3 or ext4
disk.
C VE- 2011- 4 34 7, Mo d erat e
It was found that the kvm_vm_ioctl_assign_device() function in the KVM (Kernel-based
Virtual Machine) subsystem of a Linux kernel did not check if the user requesting device
assignment was privileged or not. A local, unprivileged user on the host could assign
unused PCI devices, or even devices that were in use and whose resources were not
properly claimed by the respective drivers, which could result in the host crashing.
C VE- 2011- 4 59 4 , Mo d erat e
Two flaws were found in the way the Linux kernel's __sys_sendmsg() function, when
invoked via the sendmmsg() system call, accessed user-space memory. A local,
unprivileged user could use these flaws to cause a denial of service.
C VE- 2011- 4 6 11, Mo d erat e
The RHSA-2011:1530 kernel update introduced an integer overflow flaw in the Linux kernel.
On PowerPC systems, a local, unprivileged user could use this flaw to cause a denial of
service.
C VE- 2011- 4 6 22, Mo d erat e
A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT
(Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt
controller set up. A local, unprivileged user on the host could force this situation to occur,
resulting in the host crashing.
C VE- 2012- 0038, Mo d erat e
A flaw was found in the way the Linux kernel's XFS file system implementation handled ondisk Access Control Lists (ACLs). A local, unprivileged user could use this flaw to cause a
denial of service or escalate their privileges by mounting a specially-crafted disk.
C VE- 2012- 004 5, Mo d erat e
204
A flaw was found in the way the Linux kernel's KVM hypervisor implementation emulated the
syscall instruction for 32-bit guests. An unprivileged guest user could trigger this flaw to
crash the guest.
C VE- 2012- 0207, Mo d erat e
A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An
attacker able to send certain IGMP (Internet Group Management Protocol) packets to a
target system could use this flaw to cause a denial of service.
Red Hat would like to thank Nick Bowler for reporting CVE-2011-4081; Sasha Levin for reporting CVE2011-4347; Tetsuo Handa for reporting CVE-2011-4594; Maynard Johnson for reporting CVE-20114611; Wang Xi for reporting CVE-2012-0038; Stephan Bärwolf for reporting CVE-2012-0045; and
Simon McVittie for reporting CVE-2012-0207. Upstream acknowledges Mathieu D esnoyers as the
original reporter of CVE-2011-4594.
B u g Fixes
B Z #789 058
Windows clients never send write requests larger than 64 KB but the default size for write
requests in Common Internet File System (CIFS) was set to a much larger value.
Consequently, write requests larger than 64 KB caused various problems on certain thirdparty servers. This update lowers the default size for write requests to prevent this bug. The
user can override this value to a larger one to get better performance.
B Z #788003
In certain circumstances, the qla2xxx driver was unable to discover fibre channel (FC) tape
devices because the AD ISC ELS request failed. This update adds the new module
parameter, ql2xasynclogin, to address this issue. When this parameter is set to " 0" , FC tape
devices are discovered properly.
B Z #787580
Socket callbacks use the svc_xprt_enqueue() function to add sockets to the pool>sp_sockets list. In normal operation, a server thread will later take the socket off that list.
Previously, on the nfsd daemon shutdown, still-running svc_xprt_enqueue() could re-add
an socket to the sp_sockets list just before it was deleted. Consequently, system could
terminate unexpectedly by memory corruption in the sunrpc module. With this update, the
XPT_BUSY flag is put on every socket and svc_xprt_enqueue() now checks this flag, thus
B Z #78716 2
When trying to send a kdump file to a remote system via the tg3 driver, the tg3 NIC (network
interface controller) could not establish the connection and the file could not be sent. The
kdump kernel leaves the MSI-X interrupts enabled as set by the crashed kernel, however,
the kdump kernel only enables one CPU and this could cause the interrupt delivery to the
tg3 driver to fail. With this update, tg3 enables only a single MSI-X interrupt in the kdump
kernel to match the overall environment, thus preventing this bug.
B Z #786 022
Previously, the cfq_cic_link() function had a race condition. When some processes, which
shared ioc issue I/O to the same block device simultaneously, cfq_cic_link() sometimes
returned the -EEXIST error code. Consequently, one of the processes started to wait
indefinitely. A patch has been provided to address this issue and the cfq_cic_lookup() call
is now retried in the described scenario, thus fixing this bug.
205
B Z #783226
When transmitting a fragmented socket buffer (SKB), the qlge driver fills a descriptor with
fragment addresses, after D MA-mapping them. On systems with pages larger than 8 KB and
less than eight fragments per SKB, a macro defined the size of the OAL (Outbound Address
List) list as 0. For SKBs with more than eight fragments, this would start overwriting the list
of addresses already mapped and would make the driver fail to properly unmap the right
addresses on architectures with pages larger than 8 KB. With this update, the size of
external list for TX address descriptors have been fixed and qlge no longer fails in the
described scenario.
B Z #7819 71
The time-out period in the qla2x00_fw_ready() function was hard-coded to 20 seconds.
This period was too short for new QLogic host bus adapters (HBAs) for Fibre Channel over
Ethernet (FCoE). Consequently, some logical unit numbers (LUNs) were missing after a
reboot. With this update, the time-out period has been set to 60 seconds so that the
modprobe utility is able to recheck the driver module, thus fixing this bug.
B Z #7726 87
Previously, the remove_from_page_cache() function was not exported. Consequently, the
module for the Lustre file system did not work correctly. With this update,
remove_from_page_cache() is properly exported, thus fixing this bug.
B Z #76 1536
D ue to a regression, the updated vmxnet3 driver used the ndo_set_features() method
instead of various methods of the ethtool utility. Consequently, it was not possible to make
changes to vmxnet3-based network adapters in Red Hat Enterprise Linux 6.2. This update
restores the ability of the driver to properly set features, such as csum or TSO (TCP
Segmentation Offload), via ethtool.
B Z #7719 81
D ue to regression, an attempt to open a directory that did not have a cached dentry failed
and the EISD IR error code was returned. The same operation succeeded if a cached dentry
existed. This update modifies the nfs_atomic_lookup() function to allow fallbacks to normal
look-up in the described scenario.
B Z #76 89 16
On a system with an idle network interface card (NIC) controlled by the e1000e driver, when
the card transmitted up to four descriptors, which delayed the write-back and nothing else,
the run of the watchdog driver about two seconds later forced a check for a transmit hang
in the hardware, which found the old entry in the TX ring. Consequently, a false " D etected
Hardware Unit Hang" message was issued to the log. With this update, when the hang is
detected, the descriptor is flushed and the hang check is run again, which fixes this bug.
B Z #76 9 208
The CFQ (Completely Fair Queuing) scheduler does idling on sequential processes. With
changes to the IOeventFD feature, traffic pattern at CFQ changed and CFQ considered
everything a thread was doing sequential I/O operations. Consequently, CFQ did not allow
preemption across threads in Qemu. This update increases the preemption threshold and
the idling is now limited in the described scenario without the loss of throughput.
B Z #771870
A bug in the splice code has caused the file position on the write side of the sendfile()
206
system call to be incorrectly set to the read side file position. This could result in the data
being written to an incorrect offset. Now, sendfile() has been modified to correctly use the
current file position for the write side file descriptor, thus fixing this bug.
Note
Note that in the following common sendfile() scenarios, this bug does not occur:
when both read and write file positions are identical and when the file position is not
important, for example, if the write side is a socket.
B Z #772884
On large SMP systems, the TSC (Time Stamp Counter) clock frequency could be incorrectly
calculated. The discrepancy between the correct value and the incorrect value was within
0.5% . When the system rebooted, this small error would result in the system becoming out
of synchronization with an external reference clock (typically a NTP server). With this
update, the TSC frequency calculation has been improved and the clock correctly
maintains synchronization with external reference clocks.
these issues and fix these bugs. The system must be rebooted for this update to take effect.
4 .119.10. RHSA-2012:04 81 — Moderat e: kernel securit y, bug fix, and
enhancement updat e
Updated kernel packages that resolve several security issues, fix number of bugs, and add several
Secu rit y Fixes
C VE- 2012- 0879 , Mo d erat e
Numerous reference count leaks were found in the Linux kernel's block layer I/O context
handling implementation. This could allow a local, unprivileged user to cause a denial of
service.
C VE- 2012- 109 0, Mo d erat e
A flaw was found in the Linux kernel's cifs_lookup() implementation. POSIX open during
lookup should only be supported for regular files. When non-regular files (for example, a
named (FIFO) pipe or other special files) are opened on lookup, it could cause a denial of
service.
C VE- 2012- 109 7, Mo d erat e
It was found that the Linux kernel's register set (regset) common infrastructure
implementation did not check if the required get and set handlers were initialized. A local,
unprivileged user could use this flaw to cause a denial of service by performing a register
set operation with a ptrace() PTRACE_SETREGSET or PTRACE_GETREGSET request.
207
Red Hat would like to thank H. Peter Anvin for reporting CVE-2012-1097.
B u g Fixes
B Z #8054 58
Previously, if more than a certain number of qdiscs (Classless Queuing D isciplines) using
the autohandle mechanism were allocated a soft lock-up error occurred. This update fixes
the maximum loop count and adds the co nd _resched () call in the loop, thus fixing this
bug.
B Z #804 9 6 1
Concurrent look-up operations of the same inode that was not in the per-AG (Allocation
Group) inode cache caused a race condition, triggering warning messages to be returned
in the unl o ck_new_i no d e() function. Although this bug could only be exposed by NFS
or the xfsd ump utility, it could lead to inode corruption, inode list corruption, or other
related problems. With this update, the XFS_INEW flag is set before inserting the inode into
the radix tree. Now, any concurrent look-up operation finds the new inode with XFS_INEW
set and the operation is then forced to wait until XFS_INEW is removed, thus fixing this bug.
B Z #8024 30
Previously, when isolating pages for migration, the migration started at the start of a zone
while the free scanner started at the end of the zone. Migration avoids entering a new zone
by never going beyond what the free scanner scanned. In very rare cases, nodes
overlapped and the migration isolated pages without the LRU lock held, which triggered
errors in reclaim or during page freeing. With this update, the i so l ate_mi g ratepag es()
function makes a check to ensure that it never isolates pages from a zone it does not hold
the LRU lock for, thus fixing this bug.
B Z #802379
An anomaly in the memory map created by the mbi nd () function caused a segmentation
fault in Hotspot Java Virtual Machines with the NUMA-aware Parallel Scavenge garbage
collector. A backported upstream patch that fixes mbi nd () has been provided and the
crashes no longer occur in the described scenario.
B Z #786 873
Previously, the SFQ q d i sc packet scheduler class had no bi nd _tcf() method.
Consequently, if a filter was added with the classid parameter to SFQ, a kernel panic
occurred due to a null pointer dereference. With this update, the dummy . unbi nd _tcf and
. put qdisc class options have been added to conform with the behaviour of other
schedulers, thus fixing this bug.
B Z #78776 4
The kernel code checks for conflicts when an application requests a specific port. If there is
no conflict, the request is granted. However, the port auto-selection done by the kernel
failed when all ports were bound, even if there was an available port with no conflicts. With
this update, the port auto-selection code has been fixed to properly use ports with no
conflicts.
B Z #789 06 0
D ue to a race condition between the no ti fy_o n_rel ease() function and task movement
208
between cpuset or memory cgroup directories, a system deadlock could occur. With this
update, the cg ro up_wq cgroup has been created and both
async_rebui l d _d o mai ns() and check_fo r_rel ease() functions used for task
movements use it, thus fixing this bug.
B Z #789 06 1
Previously, the uti me and sti me values in the /pro c/<pi d >/stat file of a multithreaded process could wrongly decrease when one of its threads exited. A backported
patch has been provided to maintain monotonicity of uti me and sti me in the described
scenario, thus fixing this bug.
B Z #801723
The vmxnet3 driver in Red Hat Enterprise Linux 6.2 introduced a regression. D ue to an
optimization, in which at least 54 bytes of a frame were copied to a contiguous buffer,
shorter frames were dropped as the frame did not have 54 bytes available to copy. With this
update, transfer size for a buffer is limited to 54 bytes or the frame size, whichever is smaller,
and short frames are no longer dropped in the described scenario.
B Z #789 373
In the Common Internet File System (CIFS), the o pl o ck break jobs and async callback
handlers both use the SLO W-WO R K workqueue, which has a finite pool of threads.
Previously, these o pl o ck break jobs could end up taking all the running queues waiting
for a page lock which blocks the callback required to free this page lock from being
completed. This update separates the o pl o ck break jobs into a separate workqueue
VER Y -SLO W-WO R K, allowing the callbacks to be completed successfully and preventing
the deadlock.
B Z #789 9 11
Previously, the d o o rbel l register was being unconditionally swapped. If the Blue Frame
option was enabled, the register was incorrectly written to the descriptor in the little endian
format. Consequently, certain adapters could not communicate over a configured IP
address. With this update, the d o o rbel l register is not swapped unconditionally, rather, it
is always converted to big endian before it is written to the descriptor, thus fixing this bug.
B Z #79 0007
Previously, due to a bug in a graphics driver in systems running a future Intel processor
with graphics acceleration, attempts to suspend the system to the S3/S4 state failed. This
update resolves this issue and transitions to the suspend mode now work correctly in the
described scenario.
B Z #79 0338
Prior to this update, the wrong size was being calculated for the vfi nfo structure.
Consequently, networking drivers that created a large number of virtual functions caused
warning messages to appear when loading and unloading modules. Backported patches
from upstream have been provided to resolve this issue, thus fixing this bug.
B Z #79 034 1
Previously, when a MegaRAID 9265/9285 or 9360/9380 controller got a timeout in the
meg arai d _sas driver, the invalid SC p. ptr pointer could be called from the
meg asas_reset_ti mer() function. As a consequence, a kernel panic could occur. An
upstream patch has been provided to address this issue and the pointer is now always set
correctly.
209
B Z #79 09 05
Previously, when pages were being migrated via NFS with an active requests on them, if a
particular inode ended up deleted, then the VFS called the truncate_i no d e_pag es()
function. That function tried to take the page lock, but it was already locked when
mi g rate_pag e() was called. As a consequence, a deadlock occurred in the code. This
bug has been fixed and the migration request is now refused if the P ag eP ri vate
parameter is already set, indicating that the page is already associated with an active read
or write request.
B Z #79 5326
D ue to invalid calculations of the vrunti me variable along with task movement between
cgroups, moving tasks between cgroups could cause very long scheduling delays. This
update fixes this problem by setting the cfs_rq and curr parameters after holding the rq >l o ck lock.
B Z #79 5335
D ue to a race condition, running the i fensl ave -d bo nd 0 eth0 command to remove
the slave interface from the bonding device could cause the system to terminate if a
networking packet was being received at the same time. With this update, the race condition
has been fixed and the system no longer crashes in the described scenario.
B Z #79 5338
Previously, an unnecessary assertion could trigger depending on the value of the
xpt_po o l field. As a consequence, a node could terminate unexpectedly. The xpt_po o l
field was in fact unnecessary and this update removes it from the sunrpc code, thus
B Z #79 724 1
D ue to a race condition, the mac80 211 framework could deauthenticate with an access
point (AP) while still scheduling authentication retries with the same AP. If such an
authentication attempt timed out, a warning message was returned to kernel log files. With
this update, when deauthenticating, pending authentication retry attempts are checked and
cancelled if found, thus fixing this bug.
B Z #801718
Prior to this update, the fi nd _busi est_g ro up() function used sched _g ro up>cpu_po wer in the denominator of a fraction with a value of 0 . Consequently, a kernel
panic occurred. This update prevents the divide by zero in the kernel and the panic no
longer occurs.
B Z #79 8572
When the no hz= o ff kernel parameter was set, kernel could not enter any CPU C-state.
With this update, the underlying code has been fixed and transitions to CPU idle states now
work as expected.
B Z #79 7182
Under heavy memory and file system load, the mappi ng ->nrpag es = = 0 assertion could
occur in the end _wri teback() function. As a consequence, a kernel panic could occur.
This update provides a reliable check for mappi ng ->nrpag es that prevent the described
assertion, thus fixing this bug.
B Z #79 7205
210
D ue to a bug in the hi d _reset() function, a deadlock could occur when a D ell iD RAC
controller was reset. Consequently, its USB keyboard or mouse device became
unresponsive. A patch that fixes the underlying code has been provided to address this
bug and the hangs no longer occur in the described scenario.
B Z #79 6 828
On a system that created and deleted lots of dynamic devices, the 31-bit Linux i fi nd ex
object failed to fit in the 16-bit macvtap minor range, resulting in unusable macvtap
devices. The problem primarily occurred in a l i bvi rt-controlled environment when many
virtual machines were started or restarted, and caused l i bvi rt to report the following
message:
Error starting domain: cannot open macvtap tap device
/dev/tap222364: No such device or address
With this update, the macvtap's minor device number allocation has been modified so that
virtual machines can now be started and restarted as expected in the described scenario.
B Z #79 9 9 4 3
The d m_mi rro r module can send discard requests. However, the d m_i o interface did not
support discard requests and running an LVM mirror over a discard-enabled device led to
a kernel panic. This update adds support for the discard requests to the d m_i o interface
and kernel panics no longer occur in the described scenario.
B Z #74 9 24 8
When a process isolation mechanism such as LXC (Linux Containers) was used and the
user space was running without the C AP _SY S_AD MIN identifier set, a jailed root user could
bypass the d mesg _restri ct protection, creating an inconsistency. Now, writing to
d mesg _restri ct is only allowed when the root has C AP _SY S_AD MIN set, thus preventing
this bug.
En h an cemen t s
B Z #789 371
With this update, the i g b driver has been updated to the latest upstream version 3. 2. 10 k to provide up-to-date hardware support, features and bug fixes.
B Z #800552
This update provides support for the O _D IR EC T flag for files in FUSE (Filesystem in
Userspace). This flag minimizes cache effects of the I/O to and from a file. In general, using
this flag degrades performance, but it is useful in special situations, such as when
applications do their own caching.
B Z #7706 51
This update adds support for mount options to restrict access to /pro c/<P ID >/
directories. One of the options is called hi d epi d = and its value defines how much
information about processes is provided to non-owners. The g i d = option defines a group
that gathers information about all processes. Untrusted users, which are not supposed to
monitor tasks in the whole system, should not be added to the group.
these issues, fix these bugs, and add these enhancements. The system must be rebooted for this
211
4 .119.11. RHSA-2012:0571 — Moderat e: kernel securit y and bug fix updat e
Updated kernel packages that resolve several security issues and fix a number of bugs are now
Secu rit y Fixes
C VE- 2011- 4 086 , Mo d erat e
A flaw was found in the way the Linux kernel's journal_unmap_buffer() function handled
buffer head states. On systems that have an ext4 file system with a journal mounted, a local,
unprivileged user could use this flaw to cause a denial of service.
C VE- 2012- 16 01, Mo d erat e
A flaw was found in the way the KVM_CREATE_IRQCHIP ioctl was handled. Calling this ioctl
when at least one virtual CPU (VCPU) already existed could lead to a NULL pointer
dereference later when the VCPU is scheduled to run. A local, unprivileged user on a KVM
host could use this flaw to crash the host.
B u g Fixes
B Z #8104 54
Previously, the eth_type_trans() function was called with the VLAN device type set. If a
VLAN device contained a MAC address different from the original device, an incorrect
packet type was assigned to the host. Consequently, if the VLAN devices were set up on a
bonding interface in Adaptive Load Balancing (ALB) mode, the TCP connection could not
be established. With this update, the eth_type_trans() function is called with the original
device, ensuring that the connection is established as expected.
B Z #801329
When short audio periods were configured, the ALSA PCM midlevel code, shared by all
sound cards, could cause audio glitches and other problems. This update adds a time
check for double acknowledged interrupts and improves stability of the snd -al o o p kernel
module, thus fixing this bug.
B Z #802852
Previously, the i d mapper utility pre-allocated space for all user and group names on an
NFS client in advance. Consequently, page allocation failure could occur, preventing a
proper mount of a directory. With this update, the allocation of the names is done
dynamically when needed, the size of the allocation table is now greatly reduced, and the
allocation failures no longer occur.
B Z #803881
212
In a Boot-from-San (BFS) installation via certain iSCSI adapters, driver exported
send targ et entries in the sysfs file system but the i scsi start failed to perform
discovery. Consequently, a kernel panic occurred during the first boot sequence. With this
update, the driver performs the discovery instead, thus preventing this bug.
B Z #810322
The SCSI layer was not using a large enough buffer to properly read the entire BLO C K
LIMIT S VP D page that is advertised by a storage array. Consequently, the WRITE SAME
MAX LEN parameter was read incorrectly and this could result in the block layer issuing
discard requests that were too large for the storage array to handle. This update increases
the size of the buffer that the BLO C K LIMIT S VP D page is read into and the discard
requests are now issued with proper size, thus fixing this bug.
B Z #8054 57
A bug in the try_to _wake_up() function could cause status change from T ASK_D EAD to
T ASK_R UNNING in a race condition with an SMI (system management interrupt) or a guest
environment of a virtual machine. As a consequence, the exited task was scheduled again
and a kernel panic occurred. This update fixes the race condition in the d o _exi t()
function and the panic no longer occurs in the described scenario.
B Z #806 205
When expired user credentials were used in the R ENEW() calls, the calls failed.
Consequently, all access to the NFS share on the client became unresponsive. With this
update, the machine credentials are used with these calls instead, thus preventing this bug
most of the time. If no machine credentials are available, user credentials are used as
before.
B Z #806 859
When the python-perf subpackage was installed, the debug information for the bindings
were added to the debuginfo-common subpackage, making it unable to install the debuginfocommon package of a different version. With this update, a separate subpackage is used to
store debug information for python-perf, thus fixing this bug.
B Z #809 388
D ue to the netd evi ce handler for FCoE (Fibre Channel over Ethernet) and the exit path
blocking the keventd work queue, the d estro y operation on an NPIV (N_Port ID
Virtualization) FCoE port led to a deadlock interdependency and caused the system to
become unresponsive. With this update, the d estro y_wo rk item has been moved to its
own work queue and is now executed in the context of the user space process requesting
the destroy, thus preventing this bug.
B Z #809 372
The fco e_transpo rt_d estro y path uses a work queue to destroy the specified FCoE
interface. Previously, the d estro y_wo rk work queue item blocked another single-threaded
work queue. Consequently, a deadlock between queues occurred and the system became
unresponsive. With this update, fco e_transpo rt_d estro y has been modified and is
now a synchronous operation, allowing to break the deadlock dependency. As a result,
destroy operations are now able to complete properly, thus fixing this bug.
B Z #809 378
213
D uring tests with active I/O on 256 LUNs (logical unit numbers) over FCoE, a large number
SCSI mid layer error messages were returned. As a consequence, the system became
unresponsive. This bug has been fixed by limiting the source of the error messages and the
hangs no longer occur in the described scenario.
B Z #807158
When running AF_IUC V socket programs with IUCV transport, an IUCV SEVER call was
missing in the callback of a receiving IUCV SEVER interrupt. Under certain circumstances,
this could prevent z/VM from removing the corresponding IUCV-path completely. This
update adds the IUCV SEVER call to the callback, thus fixing this bug. In addition, internal
socket states have been merged, thus simplifying the AF_IUC V code.
B Z #809 374
Previously, the AMD IOMMU (input/output memory management unit) driver could use the
MSI address range for D MA (direct memory access) addresses. As a consequence, D MA
could fail and spurious interrupts would occur if this address range was used. With this
update, the MSI address range is reserved to prevent the driver from allocating wrong
addresses and D MA is now assured to work as expected in the described scenario.
B Z #81129 9
D ue to incorrect use of the l i st_fo r_each_entry_safe() macro, the enumeration of
remote procedure calls (RPCs) priority wait queue tasks stored in the tk_wai t. l i nks list
failed. As a consequence, the rpc_wake_up() and rpc_wake_up_status() functions
failed to wake up all tasks. This caused the system to become unresponsive and could
significantly decrease system performance. Now, the l i st_fo r_each_entry_safe()
macro is no longer used in rpc_wake_up(), ensuring reasonable system performance.
B Z #809 376
The AMD IOMMU driver used wrong shift direction in the al l o c_new_rang e() function.
Consequently, the system could terminate unexpectedly or become unresponsive. This
update fixes the code and crashes and hangs no longer occur in the described scenario.
B Z #809 104
Previously, a bonding device had always the UFO (UD P Fragmentation Offload) feature
enabled even when no slave interfaces supported UFO. Consequently, the tracepath
command could not return correct path MTU. With this update, UFO is no longer configured
for bonding interfaces by default if the underlying hardware does not support it, thus fixing
this bug.
B Z #8074 26
Previously, when the PCI driver switched from MSI/MSI-X (Message Signaled Interrupts) to
the INTx emulation while shutting down a device, an unwanted interrupt was generated.
Consequently, interrupt handler of IPMI was called repeatedly, causing the system to
become unresponsive. This update adds a parameter to avoid using MSI/MSI-X for PCIe
native hot plug operations and the hangs no longer occur in the described scenario.
B Z #811135
On NFS, when repeatedly reading a directory, content of which kept changing, the client
issued the same read d i r request twice. Consequently, the following warning messages
were returned to the d mesg output:
NFS: directory A/B/C contains a readdir loop.
214
This update fixes the bug by turning off the loop detection and letting the NFS client try to
recover in the described scenario and the messages are no longer returned.
B Z #806 9 06
The Intelligent Platform Management Interface (IPMI) specification requires a minimum
communication timeout of five seconds. Previously, the kernel incorrectly used a timeout of
one second. This could result in failures to communicate with Baseboard Management
Controllers (BMC) under certain circumstances. With this update, the timeout has been
increased to five seconds to prevent such problems.
B Z #804 54 8
Prior to this update, bugs in the cl o se() and send () functions caused delays and
operation of these two functions took too long to complete. This update adds the
IUC V_C LO SED state change and improves locking for cl o se(). Also, the net_d evi ce
handling has been improved in send (). As a result, the delays no longer occur.
B Z #804 54 7
When AF_IUC V sockets were using the HiperSockets transport, maximum message size for
such transports depended on the MTU (maximum transmission unit) size of the
HiperSockets device bound to a AF_IUC V socket. However, a socket program could not
determine maximum size of a message. This update adds the MSG SIZE option for the
g etso cko pt() function. Through this option, the maximum message size can be read and
properly handled by AF_IUC V.
B Z #809 39 1
Previously, on a system where intermediate P-states were disabled, the po werno w-k8
driver could cause a kernel panic in the cpufreq subsystem. Additionally, not all available
P-states were recognized by the driver. This update modifies the drive code so that it now
properly recognizes all P-states and does not cause the panics in the described scenario.
Updated kernel packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Bug Fix
B Z #7819 74
An insufficiently designed calculation in the CPU accelerator in the previous kernel caused
an arithmetic overflow in the sched_clock() function when system uptime exceeded 208.5
days. This overflow led to a kernel panic on the systems using the Time Stamp Counter
(TSC) or Virtual Machine Interface (VMI) clock source. This update corrects the
aforementioned calculation so that this arithmetic overflow and kernel panic can no longer
occur under these circumstances.
All users are advised to upgrade to these updated packages, which fix this bug. The system must be
rebooted for this update to take effect.
215
Updated kernel packages that resolve several security issues and fix a number of bugs are now
Secu rit y Fixes
C VE- 2012- 004 4 , Imp o rt an t
A local, unprivileged user could use an integer overflow flaw in
d rm_mo d e_d i rtyfb_i o ctl () to cause a denial of service or escalate their privileges.
C VE- 2012- 2119 , Imp o rt an t
A buffer overflow flaw was found in the macvtap device driver, used for creating a bridged
network between the guest and the host in KVM (Kernel-based Virtual Machine)
environments. A privileged guest user in a KVM guest could use this flaw to crash the host.
Note
Note that this issue only affected hosts that have the vho st_net module loaded with
the experi mental _zco pytx module option enabled (it is not enabled by default),
and that also have macvtap configured for at least one guest.
C VE- 2012- 2123, Imp o rt an t
When a set user ID (setuid) application is executed, certain personality flags for controlling
the application's behavior are cleared (that is, a privileged application will not be affected
by those flags). It was found that those flags were not cleared if the application was made
privileged via file system capabilities. A local, unprivileged user could use this flaw to
change the behavior of such applications, allowing them to bypass intended restrictions.
Note that for default installations, no application shipped by Red Hat for Red Hat Enterprise
Linux is made privileged via file system capabilities.
C VE- 2012- 2136 , Imp o rt an t
It was found that the data_len parameter of the so ck_al l o c_send _pskb() function in
the Linux kernel's networking implementation was not validated before use. A privileged
guest user in a KVM guest could use this flaw to crash the host or, possibly, escalate their
privileges on the host.
C VE- 2012- 2137, Imp o rt an t
A buffer overflow flaw was found in the setup_ro uti ng _entry() function in the KVM
subsystem of the Linux kernel in the way the Message Signaled Interrupts (MSI) routing
entry was handled. A local, unprivileged user could use this flaw to cause a denial of
service or, possibly, escalate their privileges.
C VE- 2012- 1179 , Mo d erat e
A race condition was found in the Linux kernel's memory management subsystem in the
way pmd _no ne_o r_cl ear_bad (), when called with mmap_sem in read mode, and
Transparent Huge Pages (THP) page faults interacted. A privileged user in a KVM guest
216
with the ballooning functionality enabled could potentially use this flaw to crash the host. A
local, unprivileged user could use this flaw to crash the system.
C VE- 2012- 2121, Mo d erat e
A flaw was found in the way device memory was handled during guest device removal.
Upon successful device removal, memory used by the device was not properly unmapped
from the corresponding IOMMU or properly released from the kernel, leading to a memory
leak. A malicious user on a KVM host who has the ability to assign a device to a guest
could use this flaw to crash the host.
C VE- 2012- 2372, Mo d erat e
A flaw was found in the Linux kernel's Reliable D atagram Sockets (RD S) protocol
implementation. A local, unprivileged user could use this flaw to cause a denial of service.
C VE- 2012- 2373, Mo d erat e
A race condition was found in the Linux kernel's memory management subsystem in the
way pmd _po pul ate() and pte_o ffset_map_l o ck() interacted on 32-bit x86 systems
with more than 4GB of RAM. A local, unprivileged user could use this flaw to cause a denial
of service.
Red Hat would like to thank Chen Haogang for reporting CVE-2012-0044.
B u g Fixes
B Z #8239 03
Previously, if creation of an MFN (Machine Frame Number) was lazily deferred, the MFN
could appear invalid when is was not. If at this point read _pmd _ato mi c() was called,
which then called the paravirtualized __pmd () function, and returned zero, the kernel
could terminate unexpectedly. With this update, the __pmd () call is avoided in the
described scenario and the open-coded compound literal is returned instead, thus fixing
this bug.
B Z #8129 53
The kd ump utility does not support Xen para-virtualized (PV) drivers on Hardware
Virtualized Machine (HVM) guests in Red Hat Enterprise Linux 6. Therefore, kd ump failed to
start if the guest had loaded PV drivers. This update modifies underlying code to allow
kd ump to start without PV drivers on HVM guests configured with PV drivers.
B Z #816 226
Various problems were discovered in the i wl wi fi driver happening in the 5 GHz band.
Consequently, roaming between access points (AP) on 2.4 GHz and 5 GHz did not work
properly. This update adds a new option to the driver that disables the 5 GHz band
support.
B Z #816 225
The ctx->vi f identifier is dereferenced in different parts of the i wl wi fi code. When it
was set to nul l before requesting hardware reset, the kernel could terminate unexpectedly.
An upstream patch has been provided to address this issue and the crashes no longer
B Z #824 4 29
217
Previously, with a transparent proxy configured and under high load, the kernel could start
to drop packets, return error messages such as i p_rt_bug : ad d r1 -> ad d r2, ?, and,
under rare circumstances, terminate unexpectedly. This update provides patches
addressing these issues and the described problems no longer occur.
B Z #819 6 14
Prior to this update, Active State Power Management (ASPM) was not properly disabled,
and this interfered with the correct operation of the hpsa driver. Certain HP BIOS versions
do not report a proper disable bit, and when the kernel fails to read this bit, the kernel
defaults to enabling ASPM. Consequently, certain servers equipped with a HP Smart Array
controller were unable to boot unless the pci e_aspm= o ff option was specified on the
kernel command line. A backported patch has been provided to address this problem,
ASPM is now properly disabled, and the system now boots up properly in the described
scenario.
B Z #79 9 9 4 6
When an adapter was taken down over the RoCE (RD MA over Converged Ethernet) protocol
while a workload was running, kernel terminated unexpectedly. A patch has been provided
to address this issue and the crash no longer occurs in the described scenario.
B Z #818504
Previously, network drivers that had Large Receive Offload (LRO) enabled by default
caused the system to run slow, lose frame, and eventually prevent communication, when
using software bridging. With this update, LRO is automatically disabled by the kernel on
systems with a bridged configuration, thus preventing this bug.
B Z #818503
D ue to a running cursor blink timer, when attempting to hibernate certain types of laptops,
the i 9 15 kernel driver could corrupt memory. Consequently, the kernel could crash
unexpectedly. An upstream patch has been provided to make the i 9 15 kernel driver use
the correct console suspend API and the hibernate function now works as expected.
B Z #8174 6 6
The slave member of struct ag g reg ato r does not necessarily point to a slave which is
part of the aggregator. It points to the slave structure containing the aggregator structure,
while completely different slaves (or no slaves at all) may be part of the aggregator. D ue to
a regression, the ag g _d evi ce_up() function wrongly used ag g ->sl ave to find the state
of the aggregator. Consequently, wrong active aggregator was reported to the
/pro c/net/bo nd i ng /bo nd 0 file. With this update, ag g ->l ag _po rts->sl ave is used
in the described scenario instead, thus fixing this bug.
B Z #816 271
As part of mapping the application's memory, a buffer to hold page pointers is allocated
and the count of mapped pages is stored in the d o _d i o field. A non-zero d o _d i o marks
that direct I/O is in use. However, d o _d i o is only one byte in size. Previously, mapping
256 pages overflowed d o _d i o and caused it to be set to 0 . As a consequence, when large
enough number of read or write requests were sent using the st driver's direct I/O path, a
memory leak could occur in the driver. This update increases the size of d o _d i o , thus
B Z #810125
Previously, requests for large data blocks with the ZSEC SEND C P R B i o ctl () system call
218
failed due to an invalid parameter. A misleading error code was returned, concealing the
real problem. With this update, the parameter for the ZSEC SEND C P R B request code
constant is validated with the correct maximum value. Now, if the parameter length is not
valid, the EINVAL error code is returned, thus fixing this bug.
B Z #814 6 57
While doing wireless roaming, under stressed conditions, an error could occur in the
i eee80 211_mg d _pro be_ap_send () function and cause a kernel panic. With this
update, the mac80211 MLME (MAC Layer Management Entity) code has been rewritten, thus
fixing this bug.
B Z #816 19 7
Previously, secondary, tertiary, and other IP addresses added to bond interfaces could
overwrite the bo nd ->master_i p and vl an_i p values. Consequently, a wrong IP address
could be occasionally used, the MII (Media Independent Interface) status of the backup
slave interface went down, and the bonding master interfaces were switching. This update
removes the master_i p and vl an_i p elements from the bonding and vl an_entry
structures, respectively. Instead, devices are directly queried for the optimal source IP
address for ARP requests, thus fixing this bug.
B Z #818505
Red Hat Enterprise Linux 6.1 introduced naming scheme adjustments for emulated SCSI
disks used with paravirtual drivers to prevent namespace clashes between emulated ID E
and emulated SCSI disks. Both emulated disk types use the paravirt block device xvd .
Consider the example below:
T ab le 4 .1. T h e n amin g sch eme examp le
R ed H at En t erp rise
Lin u x 6 .0
emul ated ID E
emul ated SC SI
hda -> xvda
sda -> xvda
R ed H at En t erp rise
Lin u x 6 .1 o r lat er
unchanged
sda -> xvde, sdb -> xvdf, ...
This update introduces a new module parameter, xen_bl kfro nt. sd a_i s_xvd a, that
provides a seamless upgrade path from 6.0 to 6.3 kernel release. The default value of
xen_bl kfro nt. sd a_i s_xvd a is 0 and it keeps the naming scheme consistent with 6.1
and later releases. When xen_bl kfro nt. sd a_i s_xvd a is set to 1, the naming scheme
reverts to the 6.0-compatible mode.
Note
Note that when upgrading from 6.0 to 6.3 release, if a virtual machine specifies
emulated SCSI devices and utilizes paravirtual drivers and uses explicit disk names
such as xvd [a-d ], it is advised to add the xen_bl kfro nt. sd a_i s_xvd a= 1
parameter to the kernel command line before performing the upgrade.
B Z #809 39 9
D ue to an off-by-one bug in max_bl o cks checks, on the 64-bit PowerPC architecture, the
tmpfs file system did not respect the si ze= parameter and consequently reported incorrect
number of available blocks. A backported upstream patch has been provided to address
this issue and tmpfs now respects the si ze= parameter as expected.
219
4 .119.14 . RHBA-2013:1169 — kernel bug fix updat e
Updated kernel packages that fix several bugs are now available for Red Hat Enterprise Linux 6
The kernel packages contain the Linux kernel, which is the core of any Linux operating system.
B u g Fixes
B Z #9 776 6 6
A race condition between the read_swap_cache_async() and get_swap_page() functions in
the Memory management (mm) code could lead to a deadlock situation. The deadlock
could occur only on systems that deployed swap partitions on devices supporting block
D ISCARD and TRIM operations if kernel preemption was disabled (the !CONFIG_PREEMPT
parameter). If the read_swap_cache_async() function was given a SWAP_HAS_CACHE
entry that did not have a page in the swap cache yet, a D ISCARD operation was performed
in the scan_swap_map() function. Consequently, completion of an I/O operation was
scheduled on the same CPU's working queue the read_swap_cache_async() was running
on. This caused the thread in read_swap_cache_async() to loop indefinitely around its " EEXIST" case, rendering the system unresponsive. The problem has been fixed by adding
an explicit cond_resched() call to read_swap_cache_async(), which allows other tasks to
run on the affected CPU, and thus avoiding the deadlock.
B Z #9 82113
The bnx2x driver could have previously reported an occasional MD C/MD IO timeout error
along with the loss of the link connection. This could happen in environments using an
older boot code because the MD IO clock was set in the beginning of each boot code
sequence instead of per CL45 command. To avoid this problem, the bnx2x driver now sets
the MD IO clock per CL45 command. Additionally, the MD IO clock is now implemented per
EMAC register instead of per port number, which prevents ports from using different EMAC
addresses for different PHY accesses. Also, boot code or Management Firmware (MFW)
upgrade is required to prevent the boot code (firmware) from taking over link ownership if
the driver's pulse is delayed. The BCM57711 card requires boot code version 6.2.24 or
later, and the BCM57712/578xx cards require MFW version 7.4.22 or later.
B Z #9 824 6 7
If the audit queue is too long, the kernel schedules the kauditd daemon to alleviate the load
on the audit queue. Previously, if the current audit process had any pending signals in
such a situation, it entered a busy-wait loop for the duration of an audit backlog timeout
because the wait_for_auditd() function was called as an interruptible task. This could lead
to system lockup in non-preemptive uniprocessor systems. This update fixes the problem by
setting wait_for_auditd() as uninterruptible.
B Z #9 88225
The kernel could rarely terminate instead of creating a dump file when a multi-threaded
process using FPU aborted. This happened because the kernel did not wait until all
threads became inactive and attempted to dump the FPU state of active threads into
memory which triggered a BUG_ON() routine. A patch addressing this problem has been
applied and the kernel now waits for the threads to become inactive before dumping their
FPU state into memory.
220
B Z #9 9 0080
D ue to hardware limits, the be2net adapter cannot handle packets with size greater than 64
KB including the Ethernet header. Therefore, if the be2net adapter received xmit requests
exceeding this size, it was unable to process the requests, produced error messages and
could become unresponsive. To prevent these problems, GSO (Generic Segmentation
Offload) maximum size has been reduced to account for the Ethernet header.
B Z #9 9 0085
BE family hardware could falsely indicate an unrecoverable error (UE) on certain platforms
and stop further access to be2net-based network interface cards (NICs). A patch has been
applied to disable the code that stops further access to hardware for BE family network
interface cards (NICs). For a real UE, it is not necessary as the corresponding hardware
block is not accessible in this situation.
4 .119.15. RHSA-2013:084 0 — Import ant : kernel securit y updat e
Updated kernel packages that fix one security issue are now available for Red Hat Enterprise Linux
6.2 Extended Update Support.
available from the CVE link associated with the description below.
Secu rit y Fix
C VE- 2013- 209 4 , Imp o rt an t
This update fixes the following security issue:
* It was found that the Red Hat Enterprise Linux 6.1 kernel update (RHSA-2011:0542)
introduced an integer conversion issue in the Linux kernel's Performance Events
implementation. This led to a user-supplied index into the perf_swevent_enabled array not
being validated properly, resulting in out-of-bounds kernel memory access. A local,
unprivileged user could use this flaw to escalate their privileges.
A public exploit that affects Red Hat Enterprise Linux 6 is available.
Refer to Red Hat Knowledge Solution 373743, linked to in the References, for further information and
mitigation instructions for users who are unable to immediately apply this update.
Users should upgrade to these updated packages, which contain a backported patch to correct this
issue. The system must be rebooted for this update to take effect.
B u g Fixes
221
B Z #1004 6 59
Previously, the be2net driver failed to detect the last port of BE3 (BladeEngine 3) when UMC
(Universal Multi-Channel) was enabled. Consequently, two of the ports could not be used
by users and error messages were returned. A patch has been provided to fix this bug and
be2net driver now detects all ports without returning any error messages.
B Z #100506 0
When a copy-on-write fault happened on a Transparent Huge Page (THP), the 2 MB THP
caused the cgroup to exceed the " memory.limit_in_bytes" value but the individual 4 KB
page was not exceeded. Consequently, the Out of Memory (OOM) killer killed processes
outside of a memory cgroup when one or more processes inside that memory cgroup
exceeded the " memory.limit_in_bytes" value. With this update, the 2 MB THP is correctly
split into 4 KB pages when the " memory.limit_in_bytes" value is exceeded. The OOM kill is
delivered within the memory cgroup; tasks outside the memory cgroups are no longer killed
by the OOM killer.
these bugs. The system must be rebooted for this update to take effect.
Updated kernel packages that fix two security issues and several bugs are now available for Red Hat
Enterprise Linux 6.2 Extended Update Support.
Secu rit y Fixes
C VE- 2012- 4 508, Imp o rt an t
A race condition was found in the way asynchronous I/O and fallocate() interacted when
using the ext4 file system. A local, unprivileged user could use this flaw to expose random
data from an extent whose data blocks have not yet been written, and thus contain data
from a deleted file.
C VE- 2013- 4 29 9 , Mo d erat e
An information leak flaw was found in the way Linux kernel's device mapper subsystem,
under certain conditions, interpreted data written to snapshot block devices. An attacker
could use this flaw to read data from disk blocks in free space, which are normally
inaccessible.
Red Hat would like to thank Theodore Ts'o for reporting CVE-2012-4508, and Fujitsu for reporting
CVE-2013-4299. Upstream acknowledges D mitry Monakhov as the original reporter of CVE-20124508.
B u g Fixes
B Z #101789 8
When the Audit subsystem was under heavy load, it could loop infinitely in the
audit_log_start() function instead of failing over to the error recovery code. This would
cause soft lockups in the kernel. With this update, the timeout condition in the
222
cause soft lockups in the kernel. With this update, the timeout condition in the
audit_log_start() function has been modified to properly fail over when necessary.
B Z #10179 02
When handling Memory Type Range Registers (MTRRs), the stop_one_cpu_nowait()
function could potentially be executed in parallel with the stop_machine() function, which
resulted in a deadlock. The MTRR handling logic now uses the stop_machine() function
and makes use of mutual exclusion to avoid the aforementioned deadlock.
B Z #1020519
Power-limit notification interrupts were enabled by default. This could lead to degradation
of system performance or even render the system unusable on certain platforms, such as
D ell PowerEdge servers. Power-limit notification interrupts have been disabled by default
and a new kernel command line parameter " int_pln_enable" has been added to allow users
to observe these events using the existing system counters. Power-limit notification
messages are also no longer displayed on the console. The affected platforms no longer
suffer from degraded system performance due to this problem.
B Z #10219 50
Package level thermal and power limit events are not defined as MCE errors for the x86
architecture. However, the mcelog utility erroneously reported these events as MCE errors
with the following message:
kernel: [Hardware Error]: Machine check events logged
Package level thermal and power limit events are no longer reported as MCE errors by
mcelog. When these events are triggered, they are now reported only in the respective
counters in sysfs (specifically, /sys/devices/system/cpu/cpu≶number>/thermal_throttle/).
B Z #1024 4 53
An insufficiently designed calculation in the CPU accelerator could cause an arithmetic
overflow in the set_cyc2ns_scale() function if the system uptime exceeded 208 days prior to
using kexec to boot into a new kernel. This overflow led to a kernel panic on systems using
the Time Stamp Counter (TSC) clock source, primarily systems using Intel Xeon E5
processors that do not reset TSC on soft power cycles. A patch has been applied to modify
the calculation so that this arithmetic overflow and kernel panic can no longer occur under
these circumstances.
All kernel users are advised to upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this update to take effect.
Updated kernel packages that fix multiple security issues and several bugs are now available for Red
Secu rit y Fixes
C VE- 2013- 0311, Imp o rt an t
223
This update fixes the following security issues:
* A flaw was found in the way the vhost kernel module handled descriptors that spanned
multiple regions. A privileged guest user in a KVM (Kernel-based Virtual Machine) guest
could use this flaw to crash the host or, potentially, escalate their privileges on the host.
C VE- 2012- 4 4 6 1, Mo d erat e
A flaw was found in the way the KVM subsystem handled guests attempting to run with the
X86_CR4_OSXSAVE CPU feature flag set. On hosts without the XSAVE CPU feature, a local,
unprivileged user could use this flaw to crash the host system. (The " grep --color xsave
/proc/cpuinfo" command can be used to verify if your system has the XSAVE CPU feature.)
C VE- 2012- 4 54 2, Mo d erat e
It was found that the default SCSI command filter does not accommodate commands that
overlap across device classes. A privileged guest user could potentially use this flaw to
write arbitrary data to a LUN that is passed-through as read-only.
C VE- 2013- 176 7, Lo w
A use-after-free flaw was found in the tmpfs implementation. A local user able to mount and
unmount a tmpfs file system could use this flaw to cause a denial of service or, potentially,
escalate their privileges.
Red Hat would like to thank Jon Howell for reporting CVE-2012-4461. CVE-2012-4542 was
discovered by Paolo Bonzini of Red Hat.
B u g Fixes
B Z #9 6 04 09
Previously, when open(2) system calls were processed, the GETATTR routine did not check
to see if valid attributes were also returned. As a result, the open() call succeeded with
invalid attributes instead of failing in such a case. This update adds the missing check,
and the open() call succeeds only when valid attributes are returned.
B Z #9 6 04 18
Previously, the fsync(2) system call incorrectly returned the EIO (Input/Output) error instead
of the ENOSPC (No space left on device) error. This was due to incorrect error handling in
the page cache. This problem has been fixed and the correct error value is now returned.
B Z #9 6 04 23
In the RPC code, when a network socket backed up due to high network traffic, a timer was
set causing a retransmission, which in turn could cause an even larger amount of network
traffic to be generated. To prevent this problem, the RPC code now waits for the socket to
empty instead of setting the timer.
B Z #9 55502
This update fixes a number of bugs in the be2iscsi driver for ServerEngines BladeEngine 2
Open iSCSI devices.
224
B u g Fixes
B Z #89 186 2
Previously, NFS mounts failed against Microsoft Windows 8 servers, because the Windows
server contained support for the minor version 1 (v4.1) of the NFS version 4 protocol only,
along with support for versions 2 and 3. The lack of the minor version 0 (v4.0) support
caused Red Hat Enterprise Linux 6 clients to fail instead of rolling back to version 3 as
expected. This update fixes this bug and mounting an NFS export works as expected.
B Z #9 054 33
If Time Stamp Counter (TSC) kHz calibration failed, usually on a Red Hat Enterprise Linux 6
virtual machine running inside of QEMU, the init_tsc_clocksource() function divided by
zero. This was due to a missing check to verify if the tsc_khz variable is of a non-zero
value. Consequently, booting the kernel on such a machine led to a kernel panic. This
update adds the missing check to prevent this problem and TSC calibration functions
normally.
Users should upgrade to these updated packages, which contain backported patches to fix these
bugs. The system must be rebooted for this update to take effect.
4 .120. kexec-t ools
4 .120.1. RHSA-2011:1532 — Moderat e: kexec-t ools securit y, bug fix, and
enhancement updat e
An updated kexec-tools package that fixes three security issues, various bugs, and adds several
enhancements is now available for Red Hat Enterprise Linux 6.
kexec-tools allows a Linux kernel to boot from the context of a running kernel.
Secu rit y Fixes
C VE- 2011- 3588
K d u mp used the Secure Shell (SSH) Stri ctHo stKeyC hecki ng = no option when
dumping to SSH targets, causing the target kdump server's SSH host key not to be
checked. This could make it easier for a man-in-the-middle attacker on the local network to
impersonate the kd u mp SSH target server and possibly gain access to sensitive
information in the vmcore dumps.
C VE- 2011- 3589
mkd u mp rd created initial RAM disk (i ni trd ) files with world-readable permissions. A
local user could possibly use this flaw to gain access to sensitive information, such as the
private SSH key used to authenticate to a remote server when kd u mp was configured to
dump to an SSH target.
225
C VE- 2011- 359 0
mkd u mp rd included unneeded sensitive files (such as all files from the /ro o t/. ssh/
directory and the host's private SSH keys) in the resulting i ni trd . This could lead to an
information leak when i ni trd files were previously created with world-readable
permissions.
Note
With this update, only the SSH client configuration, known hosts files, and the SSH
key configured via the newly introduced sshkey option in /etc/kd ump. co nf are
included in the i ni trd . The default is the key generated when running the servi ce
kd ump pro pag ate command, /ro o t/. ssh/kd ump_i d _rsa.
Red Hat would like to thank Kevan Carstensen for reporting these issues.
B u g Fixes
B Z #6 8179 6
K d u mp is a kexec based crash dumping mechanism for Linux. Root System Description
Pointer (RSD P) is a data structure used in the ACPI programming interface. K d u mp uses
kexec to boot to a second kernel, the " dump-capture" or " crash kernel" , when a dump of
the system kernel's memory needs to be taken. On systems using Extensible Firmware
Interface (EFI), attempting to boot a second kernel using kd u mp failed, the d ump-capture
kernel became unresponsive and the following error message was logged.
ACPI Error: A valid RSDP was not found
With this update, a new parameter, acpi_rsdp, has been added to the no efi kernel
command. Now, if EFI is detected, a command is given to the second kernel, in the format,
no efi acpi _rsd p= X, not to use EFI and simultaneously passes the address of RSD P to
the second kernel. The second kernel now boots successfully on EFI machines.
B Z #6 9 3025
To reduce the size of the vmcore dump file, kd u mp allows you to specify an external
application (that is, a core collector) to compress the data. The core collector was not
enabled by default when dumping to a secure location via SSH. Consequently, if users had
not specified an argument for co re_co l l ecto r in kdump.conf, when kd u mp was
configured to dump kernel data to a secure location using SSH, it generated a complete
vmcore, without removing free pages. With this update, the default core collector will be
maked u mp f ile when kd u mp is configured to use SSH. As a result, the vmcore dump file is
now compressed by default.
B Z #707805
Previously, the mkd u mp rd utility failed to parse the /etc/md ad m. co nf configuration file.
As a consequence, mkd u mp rd failed to create an initial RAM disk file system (i ni trd ) for
kd u mp crash recovery and the kd u mp service failed to start. With this update, mkd u mp rd
has been modified so that it now parses the configuration file and builds i ni trd correctly.
The kd u mp service now starts as expected.
B Z #708503
In order for Coverity to scan defects in downstream patches separately, it is necessary to
226
make a clean raw build of the source code without patches. However, kexec- t o o ls would
not build without downstream patches. With this update, by adding a specified patch in
kexec- t o o ls spec file, kexec- t o o ls can now be built from source in the scenario
described.
B Z #709 4 4 1
On 64-bit PowerPC-based systems with more than 1 TB of RAM, the kexec- t o o ls utility
terminated unexpectedly with a segmentation fault when kd u mp was started, thus
preventing crash kernel capture. With this update, the problem has been fixed, kexect o o ls no longer crashes, and kd u mp can now be used on a system with greater than 1 TB
of physical memory.
B Z #719 105
The mkd u mp rd utility creates an initial RAM disk file system (i ni trd ) for use in
conjunction with the booting of a second kernel within the kd u mp framework for crash
recovery. Prior to this update, mkd u mp rd became unresponsive when the running kernel
was not the same as the target kernel. With this update the problem has been fixed and
mkd u mp rd no longer hangs in the scenario described.
B Z #731236
A regression caused the following erroneous error message to be displayed when kd u mp
was setting up Ethernet network connections in order to reach a remote dump target:
sed: /etc/cluster_iface: No such file or directory
A patch has been applied to correct the problem and the error no longer occurs in the
scenario described.
B Z #73139 4
D uring kd u mp start up, a check was made to see if the amount of RAM the currently
running kernel was using was more than 70% of the amount of RAM reserved for kd u mp . If
the memory in use was greater than 70% of the memory reserved, the following error
message was displayed.
Your running kernel is using more than 70% of the amount of space
you reserved for kdump, you should consider increasing your
crashkernel reservation
D ue to improvements in conserving memory in the kexec kernel the warning is no longer
considered valid. This update removes the warning.
B Z #739 050
Previously, if kexec- t o o ls was installed and kd u mp was not running, installing the fenceagents package caused the following erroneous error message:
Non-fatal <unknown> scriptlet failure in rpm package
This update corrects the kexec- t o o ls spec file and the erroneous error message no longer
appears.
B Z #74 6 207
Removing kexec- t o o ls on IBM System z resulted in the following error, even though the
227
package was successfully removed.
error reading information on service kdump: No such file or
directory
With this update, changes have been made to the kexec- t o o ls spec file and the erroneous
error message no longer appears.
B Z #74 7233
When providing firmware at operating system install time, supplied as part of the D river
Update program (D UP), the installation completed successfully but the operating system
would fail on reboot. An error message in the following format was displayed:
cp: cannot stat `/lib/firmware/*': No such file or directory
With this update, a check for the directory containing the D UP supplied firmware is made
and the problem no longer occurs.
En h an cemen t s
B Z #585332
With large memory configurations, some machines take a long time to dump state
information when a kernel panic occurs. The cluster software sometimes forced a reboot
before the dump completed. With this update, co-ordination between kd u mp and cluster
fencing for long kernel panic dumps is added.
B Z #59 806 7
A new configuration option in kd ump. co nf, fo rce_rebui l d , has been added. When
enabled, this option forces the kd u mp init script to rebuild i ni trd every time the system
starts, thus ensuring kd u mp has enough storage space on each system start-up.
B Z #7254 84
On x86, AMD 64 & Intel 64 platforms kexec-tools now uses nr_cpus= 1 rather than
maxcpus= 1 to save memory required by the second kernel. PowerPC platforms currently
cannot handle this feature.
B Z #72789 2
A warning was added to use maxcpus= 1 instead of nr_cpus= 1 for older kernels (see the
enhancement above).
B Z #734 528
K d u mp has been provided with an option so that memory usage can be logged in the
second kernel at various stages for debugging memory consumption issues. The second
kernel memory usage debugging capability can be enabled via the new kd ump. co nf
d ebug _mem_l evel option.
B Z #74 0275, B Z #74 0277
With this update, kd u mp support for dumping core to ext4 file systems, and also to XFS
file systems on data disks (but not the root disk) has been added.
228
Note
For XFS, the XFS layer product needs to be installed.
Layered products are those not included by default in the
base Red Hat Enterprise Linux operating system.
B Z #74 0278
With this update, kd u mp support for dumping core to Btrfs file systems has been added.
Note
BusyBox's "findfs" utility does not yet support Btrfs, so
UUID/LABEL resolving does not work. Avoid using UUID/LABEL
syntax when dumping core to Btrfs file systems. Btrfs itself
is still considered experimental; refer to Red Hat Technical
Notes.
B Z #74 874 8
K d u mp did not check the return code of the mo unt command. Consequently, when the
command mo unt -t d ebug fs d ebug /sys/kernel /d ebug was issued in the kdump
service script, if the file system was already mounted, the message returned was
erroneously logged as an error message. With this update, the logic in the kdump service
script has been improved and the kdump service script now functions as expected.
Users of kexec-tools should upgrade to this updated package, which contains backported patches to
resolve these issues and add these enhancements.
4 .120.2. RHBA-2012:04 79 — kexec-t ools bug fix updat e
Updated kexec-tools packages that fix one bug and add one enhancement are now available for Red
The kexec-tools package contains the /sbin/kexec binary and utilities that together form the userspace component of the kernel's kexec feature. The /sbin/kexec binary facilitates a new kernel to boot
using the kernel's kexec feature either on a normal or a panic reboot. The kexec fastboot mechanism
allows booting a Linux kernel from the context of an already running kernel.
Bug Fix
B Z #773358
When running kdump after a kernel crash on the system using the ext4 file systems, the
kdump initrd could have been created with the zero byte size. This happened because the
system waits for several seconds before writing the changes to the disk when using the ext4
file system. Consequently, the kdump initial root file system (rootfs) could not have been
229
mounted and kdump failed. This update modifies kexec-tools to perform the sync
operations after creating the initrd. This ensures that initrd is properly written to the disk
before trying to mount rootfs so that kdump now successfully proceeds and captures a core
dump.
Enhance m e nt
B Z #8084 6 6
The kdump utility does not support Xen para-virtualized (PV) drivers on Hardware
Virtualized Machine (HVM) guests in Red Hat Enterprise Linux 6. Therefore, kdump failed to
start if the guest had loaded PV drivers. This update modifies underlying code to allow
kdump to start without PV drivers on HVM guests configured with PV drivers.
All users of kexec-tools are advised to upgrade to these updated packages, which fix this bug add
this enhancement.
4 .121. keyut ils
4 .121.1. RHEA-2011:1684 — keyut ils bug fix and enhancement updat e
Updated keyutils packages that fix one bug and add one enhancement are now available for Red
The keyutils package provides utilities to control the Linux kernel key management facility and to
provide a mechanism by which the kernel calls up to user space to get a key instantiated.
Bug Fix
B Z #730002
The keyutils subpackage did not contain a dependency on the keyutils-libs subpackage
but rather it contained only an implicit dependency on the libkeyutils.so.[n] shared object
files specified as the SONAME variable. As a consequence, the keyutils subpackage could
have been updated without applying the newest keyutils libraries, which could have caused
keyutils to work incorrectly. To fix this issue, the keyutils spec file has been modified to
include an explicit dependency on the version of keyutils-libs that matches the keyutils
subpackage. Both subpackages are now updated together.
Enhance m e nt
B Z #727280
Previously, the keyutils subpackages were compiled without the RELRO (read-only
relocations) flag. Programs provided by this package and also programs built against the
keyutils libraries were thus vulnerable to various attacks based on overwriting the ELF
section of a program. To increase the security of keyutils programs and libraries, the
keyutils spec file has been modified to use the " -Wl,-z,relro" flags when compiling the
packages. As a result, the keyutils subpackages are now provided with partial RELRO
protection.
Users are advised to upgrade to these updated keyutils packages, which fix this bug and add this
enhancement.
4 .122. krb5
230
4 .122.1. RHSA-2011:1790 — Moderat e: krb5 securit y updat e
Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
Kerberos is a network authentication system which allows clients and servers to authenticate to each
other using symmetric encryption and a trusted third-party, the Key D istribution Center (KD C).
Secu rit y Fix
C VE- 2011- 1530
A NULL pointer dereference flaw was found in the way the MIT Kerberos KD C processed
certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use
this flaw to crash the KD C via a specially-crafted TGS request.
Red Hat would like to thank the MIT Kerberos project for reporting this issue.
All krb5 users should upgrade to these updated packages, which contain a backported patch to
correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted
automatically.
4 .122.2. RHBA-2011:1707 — krb5 bug fix updat e
Updated krb5 packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
The Kerberos authentication system allows clients and servers to authenticate to each other using
symmetric encryption and the help of a trusted third party, the KD C. This update fixes the following
bugs:
B Z #6 514 6 6
Kerberos version 1.8 and later defaults to disabling support for older encryption types
which are no longer believed to be sufficiently strong. When upgrading from older versions
of Red Hat Enterprise Linux, a number of services which run at the key distribution center
(KD C) need to have their keys reset to include keys for newer encryption types. This update
adds a spot-check to the KD C init script which assist in diagnosing this condition.
B Z #7014 4 6 , B Z #74 6 34 1
Previously, a client could fail to connect to a KD C if a sufficiently large number of
descriptors was already in use. This update modifies the Kerberos libraries to switch to
using poll() instead of select(), which does not suffer from this limitation.
B Z #713252, B Z #729 06 8
Previously, the kadmin client could fail to establish a connection with certain older versions
of the kadmin daemon. In these situations, the server often logged a diagnostic noting that
the client had supplied it with incorrect channel bindings. This update modifies the client to
allow it to once again contact those versions of kadmind.
B Z #713518
Previously, a client failed to obtain credentials for authentication from KD Cs that rejected
requests specifying unrecognized options and that also did not support the canonicalize
option. With this update, obtaining credentials also works with these KD Cs.
231
B Z #714 217
Previously, locally-applied patches, which attempt to ensure that any files created by the
Kerberos libraries are given and keep the correct SELinux file labels, did not correctly
ensure that replay cache files kept their labels. This update corrects the patch to cover this
case.
B Z #717378
Previously, the Kerberos client libraries could inadvertently trigger an address-to-name
lookup inside of the resolver libraries when attempting to derive a principal name from a
combination of a service name and a host name, even if the user disabled them using the
" rdns" setting in the krb5.conf file. This update modifies the client library to prevent it from
triggering these lookups.
B Z #724 033
Previously, the kadmind init script could erroneously refuse to start the kadmind server on a
KD C, if the realm database was moved to a non-default location, or a non-default kdb
backend was in use. This update removes the logic from the init script which caused it to do
so.
B Z #729 04 4
Previously, the krb5-debuginfo package excluded several source files used to build the
package. This update ensures that the affected files are still included.
B Z #734 34 1
Previously, obtaining the Kerberos credentials for services could fail fail if the target server
was in another trusted realm than the client. This update modifies krb5-libs so that the client
obtains the credentials as expected.
All Kerberos users are advised to upgrade to these updated packages, which fix these bugs.
4 .123. krb5-appl
4 .123.1. RHSA-2011:1852 — Crit ical: krb5-appl securit y updat e
Updated krb5-appl packages that fix one security issue are now available for Red Hat Enterprise
Linux 6.
The Red Hat Security Response Team has rated this update as having Critical security impact. A
The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and rlogin clients and servers.
Kerberos is a network authentication system which allows clients and servers to authenticate to each
other using symmetric encryption and a trusted third-party, the Key D istribution Center (KD C).
Secu rit y Fix
C VE- 2011- 4 86 2
A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd). A remote attacker
who can access the telnet port of a target machine could use this flaw to execute arbitrary
code as root.
232
Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux.
In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect
the telnet daemon distributed in the telnet-server package.
For users who have installed the krb5-appl-servers package, have enabled the krb5 telnet daemon,
and have it accessible remotely, this update should be applied immediately.
All krb5-appl-server users should upgrade to these updated packages, which contain a backported
patch to correct this issue.
4 .123.2. RHBA-2011:1706 — krb5-appl bug fix and enhancement updat e
Updated krb5-appl packages that fix two bugs and add one enhancement are now available for Red
The krb5-appl packages contain Kerberos-aware versions of clients and servers for the telnet, FTP,
rsh, and rlogin protocols.
Bug Fixe s
B Z #7134 59
Prior to this update, the default PAM configuration for the FTP server incorrectly attempted
to use the pam_selinux.so module. As a result, users failed to log in. This update corrects
the supplied configuration. Now, the FTP server works as expected.
B Z #713521
Prior to this update, the FTP server did not correctly parse lines in the /etc/ftpusers file
which specified user names in combination with the " restrict" keyword. This update modifies
the code so that the server parses the " restrict" keyword correctly.
Enhance m e nt
B Z #6 6 5834 , B Z #736 36 4
Prior to this update, the command-line FTP client in the krb5-appl-clients package did not
accept command lines longer than 500 characters. This update removes this limitation.
All users of krb5-appl are advised to upgrade to these updated packages, which fix these bugs and
4 .123.3. RHBA-2012:0550 — krb5-appl bug fix updat e
Updated krb5-appl packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The krb5-appl packages contain Kerberos-aware versions of telnet, ftp, rsh, and rlogin clients and
servers. Kerberos is a network authentication system which allows clients and servers to authenticate
to each other using symmetric encryption and trusted third-party, the Key D istribution Center (KD C).
Bug Fix
B Z #816 6 89
When executing either the " mdir" or " mls" command, the FTP client stores results returned
by the server in a specified local file. Previously, when opening the file, the client did not
ensure that the mode value it passed to the fopen() function was properly null-terminated.
233
This could cause unpredictable failures. This update ensures that the value is properly
null-terminated so that the failures no longer occur in this scenario.
All users of krb5-appl are advised to upgrade to these updated packages, which fix this bug.
4 .124 . ksh
4 .124 .1. RHBA-2012:14 28 — ksh bug fix updat e
An updated ksh package that fixes one bug is now available for Red Hat Enterprise Linux 6 Extended
Update Support.
KSH-93 is the most recent version of the KornShell by D avid Korn of AT&T Bell Laboratories.
KornShell is a shell programming language which is also compatible with sh, the original Bourne
Shell.
B u g Fix
B Z #86 39 4 7
Previously, ksh did not allocate the correct amount of memory for its data structures
containing information about file descriptors. When running a task that used file
descriptors extensively, ksh terminated unexpectedly with a segmentation fault. With this
update, the proper amount of memory is allocated and ksh no longer crashes if file
descriptors are used extensively.
All users of ksh are advised to upgrade to this updated package, which fixes this bug.
4 .124 .2. RHBA-2011:164 7 — ksh bug fix updat e
An updated ksh package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
Shell.
Bug Fixe s
B Z #702016
Previously, ksh did not always wait for a pipeline to complete when the pipefail option was
used. Consequently, a failed exit status was erroneously reported even when the pipeline
had not failed. With this update, the code has been improved and the pipefail option now
functions as expected.
B Z #702013, B Z #7289 00
When running a ksh script the exit code of a child process was not preserved.
Consequently, when a script asked for such an exit code, the wrong value was reported.
With this update, an upstream patch has been applied which fixes the problem.
B Z #702015
File name completion used after an environment variable failed and ksh reported a " bad
substitution" error. With this update, an upstream patch has been applied which fixes the
problem.
234
B Z #702011
In POSIX functions, a function defined without using the, " function" , keyword, the value of
the variable " $0" was changed to the name of the function instead of keeping the original
value, the name of the caller function. With this update an upstream patch has been applied
to correct the code and ksh keeps the name of the caller function in " $0" as expected.
B Z #70189 0
Previously, when the ksh built-in " kill" command was called with a very large, non-existent
PID value, it was interpreted as " -1" . The " -1" argument to the kill command is for
terminating all processes. Consequently, all processes owned by the user were killed. With
this update a patch has been applied and ksh now checks for a valid process ID .
B Z ##6 83734
If the IFS variable was unset inside a function used in a script, the memory being used was
erroneously freed. Consequently, ksh would terminate unexpectedly. With this update, an
upstream patch has been applied which still allows the IFS variable to be unset, but no
longer frees the memory. Thus the problem is fixed, and ksh no longer crashes in the
scenario described.
B Z #702014
Previously, ksh treated an array declaration as a definition. Consequently, the array
contained one element after the declaration. This bug has been fixed, and now an array is
correctly reported as empty after a declaration.
B Z #74 224 4
Previously, when using ksh, ksh became unresponsive when pipes were used in a " eval"
argument. With this update an upstream patch has been applied and the ksh no longer
hangs in the scenario described.
B Z #74 384 2
ksh could return the exit code of the previous process to have used the same PID number,
when PID numbers were being reused after many hundreds of iterations of a script. With
this update the code has been fixed and the error no longer occurs in the scenario
described.
All users of ksh are advised to upgrade to this updated package, which fixes these bugs.
4 .124 .3. RHBA-2012:0004 — ksh bug fix updat e
An updated ksh package that fixes one bug is now available for Red Hat Enterprise Linux 6.
Shell.
Bug Fix
B Z #76 89 17
When exiting a subshell after a command substitution, ksh could prematurely exit without
any error. With this update, ksh no longer terminates under these circumstances and all
subsequent commands are processed correctly.
235
All users of ksh are advised to upgrade to this updated package, which fixes this bug.
4 .125. less
4 .125.1. RHBA-2011:1575 — less bug fix and enhancement updat e
An updated less package that fixes two bugs and adds one enhancement is now available for Red
The less package contains a text file browser that is similar to the more browser, but with more
features (" less is more" ). The less text file browser allows users to move backwards in the file as well
as forwards. Because the less utility does not need to read the entire input file before it starts, it starts
up faster than text editors.
Bug Fixe s
B Z #6 4 4 858
Prior to this update, the online help for the less utility contained incorrect descriptions for
several options. With this update, the descriptions have been corrected and the online help
describes now all options correctly.
B Z #729 025
Prior to this update, a debuginfo file for a binary was missing from the less-debuginfo
package. As a result, the crash analysis via the Automatic Bug-Reporting Tool (ABRT) did
not work as expected and debugging via GNU D ebugger (GD B) could fail. This update
modifies the spec file so that the crash analysis via ABRT and debugging via GD B work as
expected.
Enhance m e nt
B Z #7184 9 8
Prior to this update, the less utility could not view its compressed .xz files.This update adds
support for .xz files to lesspipe.sh.
All users of the less text file browser are advised to upgrade to this updated package, which fixes
these bugs and adds this enhancement.
4 .126. libarchive
4 .126.1. RHBA-2012:04 64 — libarchive bug fix updat e
Updated libarchive packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libarchive programming library can create and read several different streaming archive formats,
including GNU tar and cpio. The library can also read ISO 9660 CD -ROM images.
Bug Fix
B Z #782008
236
A bug introduced by fixing the CVE-2011-1777 security vulnerability broke functionality of
the ISO 9660 CD -ROM image reader and prevented users from opening ISO 9660 images.
A patch has been applied to restore full functionality.
All users of libarchive are advised to upgrade to these updated packages, which fix this bug.
4 .127. libat asmart
4 .127.1. RHBA-2012:0703 — libat asmart bug fix updat e
Updated libatasmart packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libatasmart packages contain a small and lightweight parser library for ATA S.M.A.R.T. hard disk
health monitoring.
Bug Fix
B Z #824 9 18
D ue to libatasmart incorrectly calculating the number of bad sectors, certain tools, for
example gnome-disk-utility, could erroneously report hard disks with Self-Monitoring,
Analysis and Reporting Technology (S.M.A.R.T) as failing when logging in GNOME. This
update corrects the bad sector calculation, which ensures that tools such as gnome-diskutility do not report false positive warnings in this scenario.
All users of libatasmart are advised to upgrade to these updated packages, which fix this bug.
4 .128. libcacard
4 .128.1. RHBA-2011:1518 — libcacard and spice-client bug fix and
enhancement updat e
Updated libcacard and spice-client packages that fix a number of bugs and add various
The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol
designed for virtual environments. The spice-client package provides the client side of the SP IC E
protocol.
The libcacard package contains the Common Access Card (CAC) emulation library.
B Z #7236 87
The spice-client package has been upgraded to upstream version 0.8.2, which provides a
number of bug fixes and enhancements over the previous version, including:
Various code cleanup modifications, such as removing unused variables, dead code
and typos, have been included.
Several package build changes, such as enabling a silent build and a cleanup in the
configure.ac script have been included.
White spaces in values for the --ho st-subject command line option are now ignored.
A new --versi o n command line option for the spi cec command has been added.
237
B Z #72389 5
The libcacard package has been upgraded to upstream version 0.15.0, which provides a
number of bug fixes and enhancements over the previous version, including a fix for the
following bug:
Some AET middleware did not work correctly with the C KM_R SA_X_59 0 encrypting
mechanism even though it reported support for this mechanism. Consequently, if such
middleware was used by libcacard virtual smart cards, smart cards failed to emulate any
RSA authentication based operations, such as requesting a security pin or retrieving
user certificates. The library has been modified to handle C KM_R SA_X59 0 failures by
falling back to use C KM_R SA_P KC S encryption. Virtual smart cards now work correctly
with AET middleware.
B u g Fixes
B Z #707122
Although old SPICE-related packages (such as cairo-spice) are no longer required to be
installed with the spice-client package, they were still needed by a previously installed spiceclient or spice-server package. With the O bso l ete lines in the package spec file, updating
spice-client forced an update of spice-server as well, and vice versa. With this update, all
" Obsolete" lines have been removed from the spi ce-cl i ent. spec file, and updating
spice-client no longer forces the update of spice-server.
B Z #6 9 29 76
The SP IC E client did not correctly handle monitor setting routines when it was running on
a client machine with multiple monitors. As a consequence, the client entered an infinite
loop while trying to rearrange monitors, which eventually caused the client to terminate
unexpectedly. With this update, the code has been modified to prevent the client from
entering this loop, and the client thus no longer crashes.
B Z #725009
The SP IC E client failed to connect to the SPICE server on the target host after a virtual
machine had been migrated to a remote machine. This happened when the migration of the
virtual machine took longer than the expiration time of the SPICE ticket that was set on the
target host. Without a valid password, the SPICE server refused connection from the SPICE
client and the SPICE session had to be closed. To prevent this problem, support for spice
semi-seamless migration has been added. Other components such as spice-protocol, spiceserver and qemu-kvm have also been modified to support this feature. SPICE now allows
the SPICE client to connect to the SPICE server on the target host at the very start of the
virtual machine migration, just before the migrate monitor command is given to the q emu kvm application. With a valid ticket on the target host, the SPICE ticket on the destination
no longer expires and the SPICE client now remains open when the virtual machine
migration is done.
B Z #7104 6 1
D ue to an incorrect condition in the code, the SP IC E client could attempt to free memory
that has already been freed. Therefore, when the K D E desktop screen of the client machine
with the running SPICE client was locked, the SPICE client terminated unexpectedly with a
segmentation fault after unlocking the screen. The code has been modified to free memory
correctly, and the SPICE client no longer crashes in the scenario described.
B Z #6 9 2833
When running multiple SP IC E client sessions at the same time and the screen resolution on
238
the client machine was changed, the SPICE client could often enter an infinite loop in the
code. As a consequence, the X Win d o ws server consumed up to 100% of CPU and caused
the client machine to be unresponsive. With this update, the underlying code has been
modified to prevent the client from entering the loop, and the problem no longer occurs.
B Z #7129 4 1
The help description for the --co l o r-d epth and --d i sabl e-effects client WAN
options was inaccurate. With this update, the spi cec --hel p command now clearly
states that these WAN options have effect only i f suppo rted by the g uest vd ag ent.
B Z #6 5354 5
D ue to the way the SP IC E server establishes secured connections, the SPICE client log
contained secure-connection messages that included the misleading string,
co nnect_unsecure. With this update, the function used to establish secure connections
has been renamed and secure-connection messages in the client log now contain the
co nnect_to _peer string.
B Z #7324 23
On a Linux guest that uses the Xin erama extension, X Win d o ws creates a non-primary
screen surface before it creates the primary screen surface when creating secondary
screens on start up. Unfortunately, the SP IC E client expected an existence of the primary
screen surface when it attempted to handle the creation of non-primary screen surfaces.
The primary surface did not exist at the time, therefore the SPICE client terminated
unexpectedly. With this update, the SPICE client now ensures that the screen exists before
starting operations on it. The SPICE client no longer crashes in the scenario described.
B Z #72356 7
Previously, the --smartcard -d b client command line option was not handled properly. As
a consequence, when running with this option, the SP IC E client terminated with the
following error message:
Error: unhandled exception: cmd line error
With this update, the --smartcard -d b option is now handled properly and the SPICE
client works as expected using this option.
B Z #7129 38
When attempting to connect to a Linux guest using the SP IC E client with WAN options and
the SPICE agent (vd ag ent) was running on the guest, the client initiated handshaking. If
the vdagent did not support WAN options, it did not reply to the client and connection thus
failed with the vd ag ent timeout. Also with certain WAN options, such as --co l o r-d epth
16 , the attempt to connect failed with the vdagent timeout even though no vd ag ent was
running on the guest. With this update, the SPICE client checks capabilities of the vdagent.
If vdagent does not support WAN options or there is no vd ag ent running on the guest, the
client continues with the message sequence initiation and connection is now successful.
B Z #6 9 6 9 6 4
D ue to a missing error code setting in the source code, the SP IC E client returned exi t
co d e 0 when running without the --ho st command line option, although the client
correctly displayed the following error message:
spicec: missing --host
239
With this update, the missing line in the code has been added, and the SPICE client now
correctly exits with the erro r co d e 14 in this scenario.
All users of libcacard and spice-client are advised to upgrade to these updated packages, which fix
these bugs and add these enhancements.
4 .129. libcap
4 .129.1. RHSA-2011:1694 — Low: libcap securit y and bug fix updat e
Updated libcap packages that fix one security issue and one bug are now available for Red Hat
Enterprise Linux 6.
The libcap packages provide a library and tools for getting and setting POSIX capabilities.
Secu rit y Fix
C VE- 2011- 4 09 9
It was found that capsh did not change into the new root when using the " --chroot" option.
An application started via the " capsh --chroot" command could use this flaw to escape the
chroot restrictions.
Bug Fix
B Z #7309 57
Previously, the libcap packages did not contain the capsh(1) manual page. With this
update, the capsh(1) manual page is included.
All libcap users are advised to upgrade to these updated packages, which contain backported
patches to correct these issues.
4 .130. libcgroup
4 .130.1. RHBA-2011:1225 — libcgroup bug fix updat e
An updated libcgroup package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The libcgroup package provides tools and libraries to control and monitor control groups.
Bug Fix
B Z #7154 13
Prior to this update, when installing the libcgroup package, a new group " cgred" was
erroneously created as a user group (starting with GID 500) and not as a system group
(with GID lower than 500). As a result, newly created users could have had UID different to
GID . With this update, the " cgred" group is now created correctly as the system group with
GID lower than 500. This update does not change GID of the " cgred" group if the group
already exists on the system.
24 0
All users are advised to upgrade to this updated libcgroup package, which fixes this bug.
4 .131. libcmpiut il
4 .131.1. RHEA-2011:1586 — libcmpiut il enhancement updat e
An updated libcmpiutil package that adds one enhancement is now available for Red Hat Enterprise
Linux 6.
The libcmpiutil library provides an application programming interface (API) for performing common
tasks with various Common Manageability Programming Interface (CMPI) providers.
Enhance m e nt
B Z #6 9 4 550
With this update, the performance and the interface of the libcmpiutil library have been
enhanced, which is used by the libvirt-cim package.
All libcmpiutil users are advised to upgrade to this updated package, which adds this enhancement.
4 .132. libesmt p
4 .132.1. RHEA-2011:1775 — libesmt p enhancement updat e
An updated libesmtp package that adds one enhancement is now available for Red Hat Enterprise
Linux 6.
LibESMTP is a library to manage posting or submitting electronic mail using SMTP to a
preconfigured Mail Transport Agent (MTA). The libesmtp package is required by Open MPI.
Enhance m e nt
B Z #73876 0
Previously, LibESMTP was not shipped with Red Hat Enterprise Linux 6 on the 64-bit
PowerPC platform. This update adds the LibESMTP package to the 64-bit PowerPC variant,
as a requirement of the updated OpenMPI. Note, that this update does not contain any
changes for other architectures.
All users requiring libesmtp on the 64-bit PowerPC architecture are advised to install this package,
4 .133. libgcrypt
4 .133.1. RHEA-2011:1734 — libgcrypt enhancement updat e
An updated libgcrypt package that add an enhancement is now available for Red Hat Enterprise
Linux 6.
The libgcrypt package contains a library which provides general-purpose implementations of
various cryptographic algorithms.
24 1
Enhance m e nt
B Z #727283
With this update, the libgcrypt library has been recompiled with read-only relocation
support that improves the security vulnerability properties of applications that use the
library.
All users of libgcrypt are advised to upgrade to this updated package, which adds this enhancement.
4 .133.2. RHEA-2012:04 86 — libgcrypt enhancement updat e
Updated libgcrypt packages that add one enhancement are now available for Red Hat Enterprise
Linux 6.
The libgcrypt library provides general-purpose implementations of various cryptographic algorithms.
Enhance m e nt
B Z #810320
With Federal Information Processing Standards (FIPS) mode enabled, the libgcrypt library
always started in the soft FIPS mode which allows applications to use the MD 5
cryptographic hash algorithm. The libgcrypt API previously did not allow the library to
programmatically switch from the soft FIPS mode to the enforced FIPS mode. With this
update, if the application does not need MD 5 support for the Transport Layer Security
(TLS) protocol or non-cryptographic purposes, libgcrypt can be preset in the enforced FIPS
mode.
All users of libgcrypt are advised to upgrade to these updated packages, which add this
enhancement.
4 .134 . libgpg-error
4 .134 .1. RHBA-2011:1717 — libgpg-error enhancement updat e
An updated libgpg-error package is now available for Red Hat Enterprise Linux 6.
The libgpg-error library provides a set of common error codes and definitions which are shared by
the gnupg, libgcrypt and other packages.
Enhance m e nt
B Z #727287
Previously, the libgpg-error package was compiled without the RELRO (read-only
relocations) flag. Programs provided by this package were thus vulnerable to various
attacks based on overwriting the ELF section of a program. To increase the security of the
libgpg-error library, the libgpg-error spec file has been modified to use the " -Wl,-z,relro"
flags when compiling the package. As a result, the libgpg-error package is now provided
with partial RELRO protection.
Users of libgpg-error are advised to upgrade to this updated package, which adds this
enhancement.
4 .135. libguest fs
24 2
4 .135. libguest fs
4 .135.1. RHBA-2011:1512 — libguest fs bug fix and enhancement updat e
Updated libguestfs packages that fix multiple bugs and add one enhancement are now available for
The libguestfs packages contain a library, which is used for accessing and modifying guest disk
images.
B u g Fixes
B Z #6 03000
Previously, the d o _part_g et_bo o tabl e() API function parsed the output of parted with
an assumption that the partition layout on the guest image was well ordered. As a
consequence, the p art - g et - b o o t ab le API would produce an incorrect result or even
terminate with disks where the partitions were not in the usual order or were missing. With
this update, the source code is modified so that lib u g u est f s can correctly handle disks
with unordered partitions.
B Z #6 27835
Previously, l i bg uestfs protocol lost synchronization when using the upl o ad command
in the g uestfi sh command line tool before mounting any disks. Uploading files failed and
an error message was reported due to the library and the daemon sending cancel
messages in an incorrect order. With this update, if the daemon detects cancellation, it
sends the remaining data in its output buffer instead of discarding it.
B Z #6 6 6 578, B Z #6 78231
Previously, if guests used the LABEL or UUID (Universal Unique Identifier) identifiers for
swap devices in the guest /etc/fstab file, the virt - in sp ect o r utility reported the
unkno wn fi l esystem error message. The source code has been modified, and the utility
now works correctly and no longer displays error messages.
B Z #6 829 80
Prior to this update, libguestfs could have incorrectly detected Red Hat Enterprise Linux
D esktop distributions as a " redhat-based" instead of " redhat" . As a consequence, the virt v2v utility failed to convert such guests. With this update, libguestfs is modified to detect
these distributions correctly as " redhat" . Now, conversion is successful.
B Z #6 84 9 80
Calling the g uestfs_ki l l _subpro cess() function and then closing the connection
handle by calling g uestfs_cl o se() could cause the libguestfs connection to become
unresponsive. The source code has been modified to close the connection correctly so that
the connections no longer hangs.
B Z #6 85009
After the resize operation, the n t f sresiz e utility marks the file system as requiring a
consistency check. As a consequence, an error message can appear when resizing the
same file system multiple times in a row without rebooting the virtual machine. With this
update, the ntfsresize(8) manual page describes this behavior.
B Z #6 8806 2
24 3
Previously, when pressing the tab key in the g uestfi sh command line tool, the mapped
devices created by l uks-o pen were not listed. With this update, /dev/mapper/ paths are
added to tab-completion and the devices are displayed when pressing the tab key.
B Z #6 9 0358
Querying a fully-virtualized guest works reliably only for Linux guests. With this update, the
virt-inspector(1) manual page is modified to note this.
B Z #6 9 239 4
Previously, the in sp ect - list - ap p licat io n s API and virt - in sp ect o r2 utility did not detect
32-bit applications installed under the WoW64 (Windows 32-bit on Windows 64-bit)
emulator on a 64-bit Windows guest. With this update, the source code is modified to
display the installed applications with their description in the output.
B Z #6 9 3306
Iterables passed instead of plain lists could cause the RuntimeError exception to be thrown
when calling libguestfs' Python interface. The Python bindings have been modified so that
any iterable argument can be used as a list.
B Z #6 9 5881
Previously, the virt - make- f s tool generated the q emu-i mg command which contained an
incorrect decimal point in the output. As a result, an error message was reported. With this
update, the source code is modified so that the virt - make- f s tool invokes q emu-i mg
correctly in all cases.
B Z #713529
D ue to incorrect mounting of guest file systems, the virt - v2v utility could fail when the guest
/etc/fstab file contained file systems marked with LABEL. This update modifies the
source code so that the file systems are mounted correctly. As a result, virt - v2v no longer
fails.
B Z #72556 3
With this update, libguestfs is rebuilt against the latest parted package, which adds support
for the Legacy BIOS Bootable flag in the G P T (GUID Partition Table) attribute field.
B Z #727178
Prior to this update, a build error prevented libguestfs from working on LUKS (Linux Unified
Key Setup) encrypted disks. As a result, loading of shared libraries failed with an error
message. An upstream patch has been applied to address this issue and libguestfs now
works correctly on LUKS devices.
B Z #729 887
This update adds the description of typecheck lenses in the guestfish(1) manual page.
B Z #73024 8
The guestfish(1) manual page has been modified to mention that g uestfi sh --remo te
run should not be used in a command substitution context.
En h an cemen t
B Z #6 724 9 1
24 4
Prior to this update, the g uestfs_l ast_errno () function was not exposed in the Perl
bindings. As a consequence, it was not directly possible to determine the precise cause of
some failures. To fix this problem, guestfs_last_errno() is now exposed in the Perl bindings.
All users of libguestfs are advised to upgrade to these updated packages, which fix these bugs and
4 .135.2. RHEA-2012:04 58 — libguest fs enhancement updat e
Enhanced libguestfs packages are now available for Red Hat Enterprise Linux 6.
[Updated 6 Apr 2011] The text of this advisory has been updated to reflect the fact that these
packages are not new in Red Hat Enterprise Linux 6.
The libguestfs library allows guest disk images to be accessed and modified. It also enables the
making of batch configuration changes to guests, manages migrations between virtualization
systems (but also see the virt-p2v utility), obtains information about disk usage (see also the virt-df
utility), performs partial backups, guest clones and partial guest clones, and is able to carry out
configuration changes to the registry, UUI, and hostname, among other duties.
The libguestfs library can be linked with C and C++ management programs.
The guestfish package enables shell scripting and command line access to libguestfs.
The libguestfs-mount package allows guest file systems to be mounted on the host using the FUSE
(Filesystem in Userspace) file system.
Included among these packages are several which enable language bindings:
for Perl bindings, see the perl-Sys-Guestfs package.
for OCaml bindings, see the ocaml-libguestfs-devel package.
for Python bindings, see the python-libguestfs package.
for Ruby bindings, see the ruby-libguestfs package.
for Java bindings, see the libguestfs-java-devel package.
Enhance m e nt
B Z #810251
This enhancement update moves the python-libguestfs package from the Red Hat
Enterprise Linux 6 Optional channels to the Red Hat Enterprise Linux 6 base channels. This
update does not make any other changes to these packages.
All users who require libguestfs should install these enhanced packages.
4 .136. libhbaapi
4 .136.1. RHBA-2011:1605 — libhbaapi bug fix and enhancement updat e
An updated libhbaapi package that fixes multiple bugs and adds various enhancements is now
The Host Bus Adapter API is a C-level project to manage Fibre Channel Host Bus Adapters.
24 5
The package has been upgraded to upstream version 2.2, which provides a number of bug fixes and
enhancements over the previous version. (BZ #719585)
Users are advised to upgrade to this updated libhbaapi package, which fixes these bugs and adds
these enhancements.
4 .137. libhbalinux
4 .137.1. RHBA-2011:1606 — libhbalinux bug fix and enhancement updat e
An updated libhbalinux package that fixes multiple bugs and adds various enhancements is now
The libhbalinux package contains the Host Bus Adapter API (HBAAPI) vendor library which uses
standard kernel interfaces to obtain information about Fiber Channel Host Buses (FC HBA) in the
system.
The package has been upgraded to upstream version 1.0.12, which provides a number of bug fixes
and enhancements over the previous version. (BZ #719584)
Users are advised to upgrade to this updated libhbalinux package, which fixes these bugs and adds
these enhancements.
4 .138. libhuget lbfs
4 .138.1. RHEA-2011:1685 — libhuget lbfs bug fix and enhancement updat e
Updated libhugetlbfs packages that fix several bugs and add one enhancement are now available
The libhugetlbfs packages provide the library and utilities that are used to interact with the Linux
hugetlbfs file system to make large pages available to applications in a transparent manner.
The libhugetlbfs packages have been upgraded to upstream version 2.12, which provide a number
of bug fixes and add additional administrator support for using large pages over the previous
version. The libhugetlbfs library and utilities now increase overall system performance, especially for
large memory systems. The packages are synchronized with kernel support. (BZ #630171)
All users of libhugetlbfs are advised to upgrade to these updated packages which fix these bugs and
4 .139. libica
4 .139.1. RHBA-2011:1567 — libica bug fix and enhancement updat e
Updated libica packages that fix multiple bugs and add various enhancements are now available for
The libica library contains a set of functions and utilities for accessing the IBM eServer
Cryptographic Accelerator (ICA) hardware on the IBM System z.
The libica library has been upgraded to version 2.1, which provides a number of bug fixes and
24 6
All libica users are advised to upgrade to these updated packages, which fix these bugs and add
these enhancements.
4 .14 0. libnih
4 .14 0.1. RHEA-2011:1672 — libnih enhancement updat e
An updated libnih package that adds one enhancement is now available for Red Hat Enterprise
Linux 6.
The libnih package includes a small library for C application development. The library is similar to
other C libraries, such as glib.
Enhance m e nt
B Z #727284
Previously, the libnih package was compiled without the read-only relocations (RELRO)
flag. Programs built against the libnih library could be vulnerable to various attacks based
on overwriting the ELF section of a program. To enhance the security, the libnih package is
now provided with partial RELRO support.
All users of libnih are advised to upgrade to this updated package, which adds this enhancement.
4 .14 1. libpng
4 .14 1.1. RHSA-2012:0317 — Import ant : libpng securit y updat e
Updated libpng and libpng10 packages that fix one security issue are now available for Red Hat
Enterprise Linux 4, 5, and 6.
The libpng packages contain a library of functions for creating and manipulating PNG (Portable
Network Graphics) image format files.
Secu rit y Fix
C VE- 2011- 3026
A heap-based buffer overflow flaw was found in libpng. An attacker could create a
specially-crafted PNG image that, when opened, could cause an application using libpng
to crash or, possibly, execute arbitrary code with the privileges of the user running the
application.
Users of libpng and libpng10 should upgrade to these updated packages, which contain a
backported patch to correct this issue. All running applications using libpng or libpng10 must be
restarted for the update to take effect.
4 .14 1.2. RHSA-2012:04 07 — Moderat e: libpng securit y updat e
Updated libpng packages that fix one security issue are now available for Red Hat Enterprise Linux 5
and 6.
24 7
Secu rit y Fix
C VE- 2011- 304 5
A heap-based buffer overflow flaw was found in the way libpng processed compressed
chunks in PNG image files. An attacker could create a specially-crafted PNG image file that,
when opened, could cause an application using libpng to crash or, possibly, execute
arbitrary code with the privileges of the user running the application.
Users of libpng should upgrade to these updated packages, which correct this issue. For Red Hat
Enterprise Linux 5, they contain a backported patch. For Red Hat Enterprise Linux 6, they upgrade
libpng to version 1.2.48. All running applications using libpng must be restarted for the update to
take effect.
4 .14 1.3. RHSA-2012:0523 — Moderat e: libpng securit y updat e
Updated libpng packages that fix one security issue are now available for Red Hat Enterprise Linux 5
and 6.
Secu rit y Fix
C VE- 2011- 304 8
A heap-based buffer overflow flaw was found in the way libpng processed tEXt chunks in
PNG image files. An attacker could create a specially-crafted PNG image file that, when
opened, could cause an application using libpng to crash or, possibly, execute arbitrary
code with the privileges of the user running the application.
Users of libpng should upgrade to these updated packages, which correct this issue. For Red Hat
Enterprise Linux 5, they contain a backported patch. For Red Hat Enterprise Linux 6, they upgrade
libpng to version 1.2.49. All running applications using libpng must be restarted for the update to
take effect.
4 .14 2. libselinux
4 .14 2.1. RHBA-2011:1559 — libselinux bug fix updat e
Updated libselinux packages that fix three bugs are now available for Red Hat Enterprise Linux 6.
The libselinux packages contain the core library of an SELinux system. The libselinux library
provides an API for SELinux applications to get and set process and file security contexts, and to
obtain security policy decisions. It is required for any applications that use the SELinux API, and
24 8
used by all applications that are SELinux-aware.
Bug Fixe s
B Z #6 9 8583
Prior to this update, Python bindings for the restorecon command required a user to specify
the entire path. Consequent to this, an attempt to use the selinux.restorecon() function with
a relative path failed with the following error message:
OSError: [Errno 2] No such file or directory
This update corrects the Python bindings to allow the use of the selinux.restorecon()
function with a relative path or just a file name.
B Z #706 04 9
Previously, the is_selinux_enabled() function may have incorrectly returned a positive
value even when the machine was disabled. This happened when the same process that
made the calls to disable SELinux attempted to determine if SELinux is enabled, because
the selinux_mnt variable was not properly freed and still contained old data. With this
update, a patch has been applied to make sure the selinux_mnt variable is now properly
freed, and the is_selinux_enabled() function works as expected.
B Z #74 84 71
When a semanage login record was set up using a group name and the number of
elements in the group was too large, login programs failed to log in the user with the correct
context. This update corrects the libselinux library to return all users within a group so that
the correct SELinux user record is used. As a result, users with the correct context can now
log in as expected in this scenario.
All users of libselinux are advised to upgrade to these updated packages, which fix these bugs.
4 .14 2.2. RHEA-2012:04 60 — libselinux enhancement updat e
Enhanced libselinux packages are now available for Red Hat Enterprise Linux 6.
Security-enhanced Linux (SELinux) is a feature of the Linux kernel and a number of utilities with
enhanced security functionality designed to add mandatory access controls to Linux. The Securityenhanced Linux kernel contains new architectural components originally developed to improve the
security of the Flask operating system. These architectural components provide general support for
the enforcement of many kinds of mandatory access control policies, including those based on the
concepts of Type Enforcement, Role-based Access Control, and Multi-level Security. The libselinux
library provides an API for SELinux applications to get and set process and file security contexts and
to obtain security policy decisions, and is required for any applications that use the SELinux API.
This enhancement update moves the selinux-ruby package from the Red Hat Enterprise Linux 6
Optional channels to the Red Hat Enterprise Linux 6 base channels. This update does not make any
other changes to these packages. (BZ #810119)
All users who require SELinux should install these enhanced packages.
4 .14 2.3. RHEA-2013:0809 — libselinux enhancement updat e
24 9
Updated libselinux packages that add one enhancement are now available for Red Hat Enterprise
Linux 6 Extended Update Support.
The libselinux packages contain the core library of an SELinux system. The libselinux library
provides an API for SELinux applications to get and set process and file security contexts, and to
obtain security policy decisions. It is required for any applications that use the SELinux API, and
used by all applications that are SELinux-aware.
En h an cemen t
B Z #9 56 9 81
Previously, a substitution of the " /" directory was not directly possible. With this update,
support for a substitution of the root directory has been added to allow proper labeling of
all directories and files under an alternative root directory.
Users of libselinux are advised to upgrade to these updated packages, which adds this
enhancement.
4 .14 3. libsemanage
4 .14 3.1. RHBA-2011:1770 — libsemanage bug fix updat e
Updated libsemanage packages that fix file creation when umask is changed.
The libsemanage library provides an API for the manipulation of SELinux binary policies. It is used
by checkpolicy (the policy compiler) and similar tools, as well as by programs such as load_policy,
which must perform specific transformations on binary policies (for example, customizing policy
boolean settings).
Bug Fix
B Z #74 734 5
When running semanage commands while umask is set to 027 (or to a similar value that
restricts a non-priviledged user from reading files created with such a file-creating mask),
semanage changed the permissions of certain files such as the
/etc/selinux/mls/contexts/files/file_contexts file. As a consequence, non-priviledged
processes were not able to read such files and certain commands such as the restorecon
command failed to run on these files. To solve this problem, libsemanage has been
modified to save and clear umask before libsemanage creates context files and then restore
it after the files are created so the file permissions are readable by non-priviledged
processes. Operations on these context files now work as expected.
All users of libsemange are advised to upgrade to these updated packages, which fix this bug.
4 .14 4 . libsepol
4 .14 4 .1. RHBA-2011:1689 — libsepol enhancement updat e
Enhanced libsepol packages are now available for Red Hat Enterprise Linux 6.
250
The libsepol library provides an API for the manipulation of SELinux binary policies. It is used by
checkpolicy (the policy compiler) and similar tools, as well as by programs like load_policy that need
to perform specific transformations on binary policies (for example, customizing policy boolean
settings).
Enhance m e nt
B Z #727285
Previously, the libsepol packages were compiled without the RELRO (read-only relocations)
flag. As a consequence, programs provided by this package and also programs built
against the libsepol libraries were vulnerable to various attacks based on overwriting the
ELF section of a program. To increase the security of libsepol programs and libraries, the
libsepol spec file has been modified to use the " -Wl,-z,relro" flags when compiling the
packages. As a result, the libsepol packages are now provided with partial RELRO
protection.
Users of libsepol are advised to upgrade to these updated packages, which add this enhancement.
4 .14 5. libsndfile
4 .14 5.1. RHBA-2011:1226 — libsndfile bug fix updat e
An updated libsndfile package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The libsndfile package provides a library for reading and writing sound files.
Bug Fix
B Z #6 6 4 323
Prior to this update, the libsndfile package was built without the Ogg container format
support. As a result, applications using the libsndfile library were not able to work with the
Ogg format. With this update, the problem has been fixed so that applications can now
work with the Ogg format as expected.
All users of libsndfile are advised to upgrade to this updated package, which fixes this bug.
4 .14 6. libssh2
4 .14 6.1. RHBA-2012:04 31 — libssh2 bug fix updat e
An updated libssh2 package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The libssh2 package provides a library that implements the SSH2 protocol.
Bug Fixe s
B Z #803389
Previously, an insufficient data type was used for certain bit shift operations in the libssh2
code. This could result in an arithmetic overflow, which caused the curl utility to terminate
unexpectedly when downloading files larger than 2 GB over the SFTP protocol. With this
update, the underlying code has been modified to use the correct data type and curl now
251
works as expected in the scenario described.
B Z #805026
When sending a large amount of data over SSH, libssh2 could, under certain
circumstances, fail to resume an interrupted key exchange. Instead of that, further data was
erroneously sent, which caused the remote site to close the connection immediately. This
update modifies the code of libssh2 so that libssh2 now properly resumes the interrupted
key exchange before sending any further data. The connection remains open and the data
transfer proceeds as expected.
All users of libssh2 are advised to upgrade to this updated package, which fixes these bugs. After
installing this updated package, all running applications using libssh2 have to be restarted for this
4 .14 7. libt asn1
4 .14 7.1. RHSA-2012:04 27 — Import ant : libt asn1 securit y updat e
Updated libtasn1 packages that fix one security issue are now available for Red Hat Enterprise Linux
6.
libtasn1 is a library developed for ASN.1 (Abstract Syntax Notation One) structures management that
includes D ER (D istinguished Encoding Rules) encoding and decoding.
Secu rit y Fix
C VE- 2012- 156 9
A flaw was found in the way libtasn1 decoded D ER data. An attacker could create carefullycrafted D ER encoded input (such as an X.509 certificate) that, when parsed by an
application that uses libtasn1 (such as applications using GnuTLS), could cause the
application to crash.
Red Hat would like to thank Matthew Hall of Mu D ynamics for reporting this issue.
Users of libtasn1 are advised to upgrade to these updated packages, which contain a backported
patch to correct this issue. For the update to take effect, all applications linked to the libtasn1 library
must be restarted, or the system rebooted.
4 .14 8. libt iff
4 .14 8.1. RHSA-2012:04 68 — Import ant : libt iff securit y updat e
Updated libtiff packages that fix two security issues are now available for Red Hat Enterprise Linux 5
and 6.
252
The libtiff packages contain a library of functions for manipulating Tagged Image File Format (TIFF)
files.
Secu rit y Fix
C VE- 2012- 1173
Two integer overflow flaws, leading to heap-based buffer overflows, were found in the way
libtiff attempted to allocate space for a tile in a TIFF image file. An attacker could use these
flaws to create a specially-crafted TIFF file that, when opened, would cause an application
linked against libtiff to crash or, possibly, execute arbitrary code.
All libtiff users should upgrade to these updated packages, which contain a backported patch to
resolve these issues. All running applications linked against libtiff must be restarted for this update to
take effect.
4 .14 9. libt irpc
4 .14 9.1. RHBA-2011:174 5 — libt irpc bug fix updat e
An updated libtirpc package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The libtirpc package contains SunLib's implementation of transport independent RPC (TI-RPC)
documentation. This includes a library required by programs in the nfs-utils and rpcbind packages.
Bug Fix
B Z #714 015
D ue to certain errors and missing code in libtirpc, user space NFS servers were not able to
fully utilize the RPCSEC_GSS security protocol, which allows remote procedure call (RPC)
protocols to access the Generic Security Services Application Programming Interface
(GSS-API). With this update, the problems have been fixed in the libtirpc code. The
RPCSEC_GSS protocol now can be used by NFS servers properly.
All users of libtirpc are advised to upgrade to this updated package, which fixes this bug.
4 .150. libvirt
4 .150.1. RHBA-2011:1513 — libvirt bug fix and enhancement updat e
Updated libvirt packages that fix multiple bugs and add various enhancements are now available for
The libvirt library is a C API for managing and interacting with the virtualization capabilities of Linux
and other operating systems. In addition, libvirt provides tools for remote management of virtualized
systems.
B u g Fixes
B Z #710150
D ue to a bug in the qemuAuditD isk() function, hot unplug failures were never audited, and
a hot unplug success was audited as a failure. This bug has been fixed, and auditing of
disk hot unplug operations now works as expected.
253
B Z #711151
Previously, a bug in the qemu-img command line arguments prevented the creation of
encrypted volumes. This update fixes the bug, and encrypted volumes can now be
successfully created.
B Z #711206
Previously, when a debug process was being activated, the act of preparing a debug
message ended up with dereferencing a Universally Unique Identifier (UUID ) prior to the
NULL argument check. As a consequence, an API running the debug process sometimes
terminated unexpectedly with a segmentation fault. With this update, a patch has been
applied to address this issue, and crashes no longer occur in the described scenario.
B Z #74 26 4 6
D ue to a programming mistake in the initialization code of the libvirtd daemon, the QEMU
driver could have failed to find the user or group ID of the qemu application on the system.
As a consequence, libvirtd failed to start. With this update, the error has been corrected and
libvirtd now starts as expected.
B Z #74 1217
If the QEMU driver failed to update information about currently allocated memory, installing
a new virtual machine failed with the following error message:
ERROR
cannot send monitor command '{"execute":"queryballoon"}':
Connection reset by peer
With this update, the driver has been modified to not consider this behavior as fatal.
Installation now proceeds and finishes as expected.
B Z #6 9 06 9 5
Previously, when running the " virsh vol-create-from" command on a Logical Volume
Manager (LVM) storage pool, performance of the command was very low and the operation
consumed an excessive amount of time. This bug has been fixed in the
virStorageVolCreateXMLFrom() function, and the performance problem of the command no
longer occurs.
B Z #6 9 0175
When migrating a QEMU domain and restarting the libvirtd daemon, the migration was not
properly canceled. The domain was left on the target host or ended up in an unexpected
state on the source host. With this update, the libvirtd daemon tracks ongoing migrations in
a persistent file, and properly cancels them when the daemon is being restarted.
B Z #73814 6
The " virsh dump" command can fail to dump the core of a domain if the user sets incorrect
permissions for the destination directory. Previously, the virsh(1) man page did not provide
any information about the permissions required to successfully complete a domain core
dump. This information is now included in the man page.
B Z #734 773
254
When shutting down a guest operating system, libvirt killed the QEMU process without
giving it enough time to flush all disk I/O buffers. This led in certain cases to loss of data or
corruption of the virtual disk. With this update, libvirt gives QEMU enough time to flush the
buffers and exits instead of forcibly killing the process.
B Z #73814 8
When the user started a virtual machine, changed its definition, and migrated the virtual
machine, the new settings were not available on the destination. With this update, the
settings are transferred to the destination by a live XML file which includes current settings
of the running virtual machine. Now, settings are kept during the migration.
B Z #6 6 9 54 9
Previously, libvirt did not exercise enough control over whether a domain change should
affect the running domain, the persistent configuration, or both. Various virsh commands
were inconsistent, and attempts to change a configuration of a running domain did not
persist to the next boot. With this update, several libvirt commands have new flags to
distinguish between live and persistent configurations. The corresponding virsh commands
can be used with the " --config" and " --live" flags to provide a more consistent interface.
Management applications have finer control over whether various configuration changes
affect hot plug, next boot, or both.
B Z #6 74 537
Various logic bugs affected the handling of snapshots in libvirt. Among these, restarting the
libvirtd daemon would lose track of the current snapshot, and a change in QEMU behavior
would trigger a latent bug in libvirt's ability to restore certain snapshots. Snapshots were
therefore unreliable and hard to manage. This update provides a number of bug fixes and
flags to the existing snapshot management APIs, so that libvirt can provide all the snapshot
features, as documented. Management applications can use system checkpoint snapshots
for better control when rolling back to known stable states of a virtual machine.
B Z #6 77229
Previously, libvirt did not support attaching of interfaces to an inactive virtual machine by
using the " virsh attach-interface" command. Users had to use workarounds, for example
editing the whole domain by executing " virsh edit" . This update adds support for attaching
interfaces even to inactive virtual machines. As a result, users do not need to use the
workarounds, but can use virsh directly.
B Z #7274 74
Previously, libvirt used an improper separator (comma) in the " lvs" command. This caused
the regular expression, which is used to parse the " lvs" output, to not function correctly. In
addition, libvirt did not use the right mechanism to format multiple XML " devices" elements
for multiple device paths of a striped volume. As a consequence, creation of any logical
pool failed for LVM volume groups with striped volumes. With this update, a different
separator (hash) is used. Multiple device paths of a striped volume are parsed correctly
and multiple XML " devices" elements are formated as expected. Users are now able to
create logical pools which contain a striped volume, and get proper XML for the striped
volume as well.
B Z #72026 9
If the source QEMU process was not able to connect to the destination process when
migrating a QEMU domain, libvirt could report " undefined error" . With this update, libvirt
creates the connection to the destination QEMU process and makes QEMU use this precreated connection. This allows libvirt to report meaningful errors if the connection attempt
255
fails.
B Z #707257
If a NFS (Network File System) storage was configured to be accessible only by users from
a supplementary group for a user whose identity was used to run QEMU processes, the
libvirtd daemon in certain cases failed to access or create files on that storage. With this
update, libvirtd properly initializes supplementary groups when changing identity to QEMU
users and groups. This allows libvirtd to access and create such files.
B Z #6 9 8825
Previously, it was not possible to maximize the performance of a KVM guest using memory
binding on a NUMA (Non-Uniform Memory Access) host if the guest was started by libvirt.
This update introduces new XML definitions to support NUMA memory policy configuration.
Users can now specify the NUMA memory policy by using the guest XML definitions. The
performance can be adjusted by NUMA memory binding.
B Z #704 14 4
The libvirt library uses the " boot=on" option to determine which disk is bootable. The
previous version of the qemu-kvm utility did not support this option, and libvirt could not
use it. As a consequence, when an ID E disk was added as the second storage with a virtio
being set up as the first one by default, the operating system tried to boot from the ID E disk
rather than the virtio disk and either failed to boot with the " No bootable disk" error
message, or the system booted whatever operating system was on the ID E disk. With this
update, the boot configuration is translated into bootindex, which provides control over
which device is used for booting a guest operating system.
B Z #7519 00
Prior to this update, when a QEMU migration to a file was triggered, libvirt temporarily set
the migration bandwith to " unlimited" in an attempt to speed up saving of the state of the
virtual machine. A limitation in QEMU caused QEMU not to return from the migrate command
until the migration itself was complete. This locked out the QEMU monitor response loop
and the migration to file process could not be interrupted. With this update, migration to file
can be monitored for progress or interruptions. Now, libvirt no longer ignores job info or
abort commands during the migration to file process.
B Z #7389 70
The virsh(1) man page did not mention detailed information about the drivers used for the
" attach-disk" command with QEMU domains. If the command on a QEMU domain failed with
an incorrect driver, users were unaware of what driver name should be used with QEMU. To
fix this problem, the manual page now specifies what the " driver" parameter can contain.
B Z #6 9 3203
Running the " virsh list" command could become unresponsive when a QEMU process
tracked by the libvirtd daemon did not respond to the monitor command. With this update,
" virsh list" no longer requires interaction with running QEMU processes and can therefore
list all domains even if a guest becomes unresponsive.
B Z #6 9 1830
If the user wanted to take a screenshot of a running virtual machine, the user had to use
other tools (for example, virt-manager). A new libvirt API, virD omainScreenshot, is provided
with this update, and allows users to take screenshots if the hypervisor supports it. Now,
users no longer need to use third-party tools to take screenshots, but can use libvirt
256
directly.
B Z #6 82237
SPICE (the Simple Protocol for Independent Computing Environments) supports multiple
compression settings for audio, images and streaming. With this update, the libvirt XML
schema is extended to support these kinds of settings so that users can set SPICE
compression options directly in libvirt.
B Z #6 82084
Previously, libvirt did not support virtual CPU pinning on inactive virtual machines by
running the " virsh vcpupin" command. Users had to use workarounds instead. With this
update, libvirt now supports virtual CPU pinning on inactive virtual machines. Users no
longer need to use workarounds but can use virsh directly.
B Z #6 814 58
Previously, libvirt did not support attaching devices to an inactive virtual machine by
running the " virsh attach-device" command. Users had to use workarounds, for example
had to edit the whole domain using " virsh edit" . With this update, libvirt provides enhanced
support for attaching devices even to inactive virtual machines. User no longer need to use
their workarounds but can use virsh directly.
B Z #727088
Previously, the new storage type added to libvirt was not fully supported. As a
consequence, directory type storage volumes were reported to be file storage volumes. The
new volume type has been added to the public API. The volume type is now correctly
reported and displayed in associated tools.
B Z #6 4 1087
Users were allowed to change the domain's CPU affinity dynamically in libvirt, however
there was no persistent XML provided, and the settings were lost on the next domain start.
This update introduces a new XML to support the persistent configuration of domain's CPU
affinity. Also new flags (" --live, " --config" , and " --current" ) are introduced for the " virsh
vcpupin" command. Now, the domain's CPU affinity persists across the next start.
B Z #730750
Previously, libvirt attempted to load a managed save file instead of starting a domain from
the beginning, even if the managed save file was damaged and could not be loaded. This
could confuse users who were not aware of the problem. This update introduces a new
command, " virsh start --force-boot" , as well as improved logic which ensures that a
managed save file is not loaded if it is corrupted. Use of managed save images no longer
cause confusion.
B Z #728153
If both the SysV init and upstart scripts were installed, and the libvirtd daemon was
managed by upstart, the SysV init script was unaware of this. As a consequence, the SysV
init script reported confusing error messages. The user was unable to restart the daemon by
using the SysV init script, and was also unaware of the fact, that libvirtd was managed by
upstart. With this update, the SysV init script checks whether libvirtd is managed by upstart.
In the positive case, the user is advised to use the upstart tools to manage libvirtd. Users
are now able to restart the libvirtd daemon while using upstart.
B Z #7284 28
257
When restarting the libvirtd daemon, libvirt reloaded the domain configuration from the
status XML if the XML existed (the domain was running). However, the original domain
configuration was not recorded and the domain configuration could not be restored to the
original one. As a consequence, the nonpersistent attached devices still existed after
restarting libvirtd. With this update, the original domain configuration is recorded by
assigning the persistent domain configuration to the newD ef method if it's NULL and the
domain is running. The nonpersistent attached devices no longer exist if libvirtd is
restarted.
B Z #7286 54
The broken configuration file caused the libvirtd daemon to exit silently, with no error
messages logged or any other indication of a problem. This could have confused the user
as a consequence. Error handling messages have been added to the early start phases of
libvirtd. Errors which occur during the start are now printed and logged.
B Z #6 78027
Previously, the D MI (D esktop Management Interface) data was not present on all
architectures. Running the " virsh sysinfo" command failed on certain architectures because
the D MI data was obtained from the missing /sys/devices/virtual/dmi tree. With this update,
the D MI information is no longer fetched on non-Intel architectures. As a result, running the
" virsh sysinfo" command works as expected.
B Z #73024 4
Previously, an invalid variable was used to construct error messages. If a migration
command failed, the error message reported the remote URI to be " (null)" instead of the
requested migration URI. The reason why the command failed was therefore unknown to the
user. This update implements the correct variable which contains the migration URI. As a
result, the correct migration URI is now reported if an error occurs.
B Z #6 6 76 31
The monitor command in QEMU that provides migration information for SPICE was
modified. As a consequence, libvirt was unable to send the migration information to SPICE,
the session failed, and the migration terminated. This update modifies libvirt to adapt to the
new monitor command. As a result, users can now perform a successful migration.
B Z #6 6 76 24
The monitor command in QEMU that is used to change passwords for VNC and SPICE
sessions was changed. As a consequence, libvirt was unable to set any password. This
update modifies libvirt to adapt to the new command. As a result, users can successfully set
passwords for VNC and SPICE sessions.
B Z #6 6 76 20
Because QEMU changed the format of SPICE events, libvirt was not able to resend these
event to users. This update modifies libvirt to adapt to the new format. As a result, SPICE
events are successfully passed to users through libvirt.
B Z #589 9 22
In certain cases, usually when the virt_use_nfs_selinux boolean was not set, SELinux
policies prevented qemu from opening a disk image. As a consequence, qemu refused to
start. This update provides a verbose error message which advises the user to set
virt_use_nfs_selinux in the aforementioned scenario.
258
B Z #6 9 774 2
Previously, libvirt did not remove the managed save file if a domain was undefined. When
the user installed a new guest after destroying and undefining the previous one, the
managed save file for the previous guest was still present, and the new guest failed to start
because it would use a managed save file with the same name. This update introduces a
new API, virD omainUndefineFlags, which allows users to specify flags (for example, " virsh
undefine --managed-save" ). The managed save file can now be successfully removed. If the
user does not specify any option, a comprehensive error message provides additional
information.
B Z #72286 2
Previously, the virsh(1) man page contained duplicate documentation of the " iface-name"
command, did not provide sufficient documentation of the " iface-mac" command, and
contained certain inconsistent option names. The man page has been modified to provide
correct descriptions.
B Z #6 9 2355
Previously, libvirt assigned PCI ID s to virtual devices as needed. As a consequence,
migration of guests could fail in certain cases. With this update, libvirt reserves specific
device ID s for virtual device types, notably 0x01 for ID E controllers and 0x02 for VGA
devices. When migrating guests with other device types on these device ID s, users need to
manually edit the guest XML files to reassign devices away from reserved ID s.
En h an cemen t s
B Z #705814
The libvirt packages have been upgraded to upstream version 0.9.4, which introduces new
APIs for libvirt and adds various enhancements over the previous version.
B Z #6 3276 0
In certain scenarios, users want to adjust the traffic of a virtual machine, its specific NIC
(Network Interface Controller), or whole virtual network. Prior to this update, users often
manually ran scripts to set up traffic shaping. This update extends the network and
interface XML definitions. Now, users can set bandwidth limitation, or specify average peak
and burst rates directly in libvirt.
B Z #6 9 276 9
Users can limit virtual CPUs of a virtual machine by using control groups (cgroups).
However, the appropriate QEMU process needs to be placed into a specific cgroup. Prior to
this update, libvirt was missing this feature, and users had to use their own workarounds.
With this update, libvirt can place a process into a cgroup, which can also be specified by
using the XML definition of a virtual machine. As a result, users can now set virtual CPU
bandwidth limits directly in libvirt.
B Z #71159 8
With SGA BIOS, it is possible to send boot messages to a serial line instead of a
VNC/SPICE session. With this update, libvirt contains enhanced virtual machine XML
descriptions so that users can set a serial line that allows the showing of boot messages.
Boot messages are now displayed on the serial console as expected.
B Z #6 4 39 4 7
The physical network interface configuration can be different on each host machine, even
259
The physical network interface configuration can be different on each host machine, even
though each host is using the same logical network. This update adds a virtual switch
abstraction to libvirt. Virtual machines can be configured identically on every host, even if
the physical connectivity is different.
B Z #6 9 834 0
Previously, libvirt did not support setting of the ioeventfd feature for virtio disks or
interfaces. QEMU could experience high CPU usage as a consequence. The support for
this feature has been added in the XML definition of a virtual machine. Users can now
enable the ioeventfd feature in order to lower CPU usage.
B Z #703851
The address used for listening for VNC connections to a libvirt guest was previously
required to be an IP address. In cases where the guest migrates from one host to another,
and the administrator wants the guest to be listening on a publicly visible interface, this
address must be changed during migration. To make this change possible this update
adds the option for specifying a listen network by name. Now, the guest can be migrated
between the hosts, and its VNC listen address changes automatically as it migrates.
B Z #59 879 2
The " --persistent" option for the " update-device" command was not implemented in virsh.
Users experienced error messages saying that this feature was not supported. This update
modifies libvirt to distinguish between the live and persistent XML definition of a virtual
machine. Users can now change the definition of a virtual machine while the machine is
running. The settings are applied after restarting the virtual machine.
B Z #6 324 9 8
Running the " virsh dump" command against a virtual machine caused it to dump its
memory. However, users often had to manually reboot the virtual machine after performing a
dump. A new option, " --reset" , has been implemented for " virsh dump" , so that users can
now use virsh instead of other tools.
B Z #6 77228
Previously, libvirt did not support attaching disks to an inactive virtual machine by using
the " virsh attach-disk" command. Users had to use workarounds instead. This update
provides enhanced support for attaching disks; disks can be attached even to inactive
virtual machines. Now, users can use virsh directly instead of using workarounds.
B Z #56 9 56 7
Changes made to host's network configuration by libvirt immediately and permanently
modified host's configuration files. This caused the network to be unusable, and it was
sometimes difficult to restore the original connectivity. This update adds new virsh
commands, so that the current state of the network configuration can be saved and easily
reverted.
B Z #6 34 6 53
When migrating to a file, saving the state of a virtual machine led to creation of large files
which filled the system cache. The system performance could therefore be affected. This
update introduces the new " --bypass" option for operations that involve migration to file.
This prevents the cache from being filled. Management application can now control large
virtual machine state files.
260
All users of libvirt are advised to upgrade to these updated packages, which fix these bugs and add
these enhancements.
4 .150.2. RHBA-2011:1778 — libvirt bug fix updat e
Updated libvirt packages that fix one bug are now available for Red Hat Enterprise Linux 6.
systems. The library also provides nwfilter support for fine-grained filtering of the network traffic
reaching guests managed by libvirt.
Bug Fix
B Z #754 182
Previously, nwfilter support was dependent on the ability to execute scripts in the /tmp
directory, which is considered unsafe. With this ability blocked, guests relying on the
nwfilter component were not allowed to start. The underlying code has been modified so
that nwfilter no longer requires to execute scripts in the /tmp directory.
All users of libvirt are advised to upgrade to these updated packages, which fix this bug. After
installing these updated packages, libvirtd must be restarted. Use the " service libvirtd restart"
command for this update to take effect.
4 .150.3. RHBA-2012:0013 — libvirt bug fix and enhancement updat e
Updated libvirt packages that fix multiple bugs and add two enhancements are now available for Red
and other operating systems.
B u g Fixes
B Z #76 84 6 9
This update forces all lib virt managed K VM guests with vi rti o drives to run with the
scsi = o ff option. This will prevent SCSI requests in guests being passed to underlying
block devices on the host; however, a separate bug is preventing scsi = o ff from working
correctly. A malicious, privileged guest user could issue a craf t ed req u est that would still
be passed to the underlying block device.
A future qemu-kvm update will correct the scsi = o ff functionality, blocking such crafted
requests, and allowing CVE-2011-4127 to be mitigated before the kernel update is applied.
As scsi = o ff may break legitimate pass through of SCSI requests, this update also adds
a new value for the device attribute in the disk XML element, l un. This type is like the default
" disk" device, but will allow SCSI requests from guests to be passed to the underlying block
device on the host. (Using the l un device attribute causes the guest to run with scsi = o n.)
Note: After installing the RHSA-2011:1849 kernel update, it will not be possible for guests to
issue SCSI requests on virtio drives backed by partitions or LVM volumes, even if
d evi ce= ' l un' is used. It will only be possible to issue SCSI requests on virtio drives
backed by whole disks.
Refer to Red Hat Knowledgebase 67869 for details about CVE-2011-4127.
261
B Z #76 9 6 74
D ue to an error in the b rid g e n et wo rk d river, libvirt did not respect network configuration
properly. Therefore, if a network was set with the fo rward element set to mo d e= bri d g e" ,
libvirt incorrectly added ip t ab les rules for such a network every time the l i bvi rtd
daemon was restarted and the network was active. This could cause the network to become
inaccessible. With this update, libvirt reloads iptables rules only if the fo rward element is
set to mo d e= ro ute, mo d e= nat, or mo d e= no ne.
B Z #76 9 853
Previously, migration of a virtual machine failed if the machine had an ISO image attached
as a CD -ROM drive and the ISO domain was inactive. With this update, libvirt introduces
the new startupP o l i cy attribute for removable devices, which allows to mark CD -ROM
and diskette drives as o p t io n al. With this option, virtual machines can now be started or
migrated without removable drives if the source image is inaccessible.
B Z #7709 55
Under certain circumstances, a race condition between asynchronous jobs and query jobs
could occur in the Q EMU monitor. Consequently, after the Q EMU guest was stopped, it
failed to start again with the following error message:
error: Failed to start domain [domain name]
error: Timed out during operation cannot acquire state change
lock
With this update, lib virt handles this situation properly, and guests now start as expected.
B Z #7709 57
The libvirt package was missing a dependency on the avahi package. The dependency is
required due to mD NS support which is turned on by default. As a consequence, the
l i bvi rtd daemon failed to start if the libvirt package was installed on the system without
Avah i. With this update, the dependency on avahi is now defined in the libvirt.spec file, and
Avahi is installed along with libvirt.
B Z #7709 58
D ue to several problems with security labeling, l i bvi rtd became unresponsive when
destroying multiple guest domains with disks on an unreachable NFS storage. This update
fixes the security labeling problems and l i bvi rtd no longer hangs under these
circumstances.
B Z #7709 6 1
Previously, libvirt incorrectly released resources in the macvtap network driver in the
underlying code for QEMU. As a consequence, after an attempt to create a virtual machine
failed, a macvtap device that was created for the machine could not be deleted from the
system. Any virtual machine using the same MAC address could not be created in such a
case. With this update, an incorrect function call has been removed, and macvtap devices
are properly removed from the system in the scenario described.
B Z #7709 6 6
Previously, libvirt defined a hard limit for the maximum number of domains (500) in P ytho n
bi nd i ng s. As a consequence, the vd smd daemon was unable to properly discover all
virtual machines on the system with more than 500 guests. With this update, the number of
domains is now determined dynamically and vd smd correctly discovers all virtual
262
machines.
En h an cemen t s
B Z #759 06 1
This update adds support for VMware vSp h ere H yp erviso r ( ESXi) 5 installations.
B Z #7709 59
When shutting down, a virtual machine had changed its status from the U p state to the
Pau sed state before it was shutdown. The Pau sed state represented the state when the
guest had been already stopped, but Q EMU was flushing its internal buffers and was
waiting for lib virt to kill it. But this state change could confuse users so this update adds
respective events and modifies libvirt to use the sh u t d o wn state. A virtual machine now
moves from the U p to Po werin g D o wn and then to D o wn state.
All users of libvirt are advised to upgrade to these updated packages, which fix these bugs and add
these enhancements.
4 .150.4 . RHBA-2012:034 2 — libvirt bug fix updat e
Updated libvirt packages that fix four bugs are now available for Red Hat Enterprise Linux 6.
systems.
Bug Fixe s
B Z #7834 53
Under certain circumstances, a rare race condition between the poll() event handler and the
dmidecode utility could occur. This race could result in dmidecode waiting indefinitely to
perform a read operation on the already closed file descriptor. As a consequence, it was
impossible to perform any tasks for virtualized guests using the libvirtd management
daemon, or perform certain tasks using the virt-manager utility, such as creating a new
virtual machine. This update modifies the underlying code so that the race condition no
longer occurs and libvirtd and virt-manager work as expected.
B Z #784 785
Previously, when libvirt tried to attach certain SR-IOV (Single Root I/O Virtualization)
devices to virtual guests, this attempts failed with the " Unable to reset PCI device" error
messages. This patch modifies the underlying code so that these PCI devices can now be
successfully attached to guests.
B Z #7876 20
When migrating a QEMU domain and using SPICE for a remote display, the migration was
failing and the display was erratic under certain circumstances. This was happening
because with the incoming migration connection open, QEMU was unable to accept any
other connections on the target host. With this update, the underlying code has been
modified to delay the migration connection until the SPICE client is connected to the target
destination. The guest domains can now be successfully migrated without disrupting the
display during the migration.
B Z #79 0779
263
Previously, if the libvirt package was built with avahi support, libvirt required the avahi
package to be installed on the system as a prerequisite for its own installation. If the avahi
package could not be installed on the system due to security concerns, installation of libvirt
failed. This update modifies the libvirt.spec file to require only the avahi-libs package. The
libvirt package is now successfully installed and libvirtd starts as expected.
All users of libvirt are advised to upgrade to these updated packages, which fix these bugs. After
4 .150.5. RHBA-2012:04 19 — libvirt bug fix updat e
Updated libvirt packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
systems.
Bug Fixe s
B Z #79 8177
If the user attempted to connect locally as a non-root user to the libvirtd daemon (using
" qemu:///user" ), the " .libvirt" directory was not created in the home directory. As a
consequence, non-root users failed to use libvirt. This update ensures that the directory is
created, and libvirt now works as expected for non-root users.
B Z #79 89 06
The localtime_r() function used in the libvirt code was not async signal safe, which caused
child processes to enter a deadlock when attempting to generate a log message. As a
consequence, the virsh utility became unresponsive. This update applies backported
patches and adds a new API for generating log time stamps in an async-signal safe
manner. The virsh utility no longer hangs under these circumstances.
All users of libvirt are advised to upgrade to these updated packages, which fix these bugs. After
Updated libvirt packages that fix one bug are now available for Red Hat Enterprise Linux 6.
systems.
Bug Fix
B Z #806 206
When a live migration of a guest was terminated abruptly (using the Ctrl+C key
combination), the libvirt daemon could have failed to accept any future migration request of
that guest with the following error message:
264
error: Timed out during operation: cannot acquire state
change lock
This update adds support for registering cleanup callbacks which are called for a domain
when a connection is closed. The migration API is more robust to failures, and if a
migration process is terminated, it can be restarted on a subsequent command.
All users of libvirt are advised to upgrade to these updated packages, which fix this bug. After
Updated libvirt packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
systems.
Bug Fixe s
B Z #826 6 39
D ue to a locking problem in one of the routines involved in the migration process,
migrations could become unresponsive, for example, when repeatedly migrating a domain
between two nodes. The locking problem has been fixed with this update, and migrating a
guest is now successful in this scenario.
B Z #82704 7
Closing a file descriptor multiple times could, under certain circumstances, lead to a failure
to execute the qemu-kvm binary. As a consequence, a guest failed to start. A patch has
been applied to address this issue, so that the guest now starts successfully.
All users of libvirt are advised to upgrade to these updated packages, which fix these bugs.
4 .151. libvirt -cim
4 .151.1. RHBA-2011:1587 — libvirt -cim bug fix and enhancement updat e
An updated libvirt-cim package that fixes one bug and adds two enhancements is now available for
The libvirt-cim package contains a Common Information Model (CIM) provider based on Common
Manageability Programming Interface (CMPI). It supports most libvirt virtualization features and
allows management of multiple libvirt-based platforms.
Bug Fix
B Z #72824 5
Prior to this update, libvirt-cim contained several defects for null variables. As a result,
using null variables did not work as expected. This update resolves these defects and now
null variables work as expected.
265
Enhance m e nt s
B Z #6 33337
With this update, libvirt-cim supports libvirt networking Access Control Lists (ACL).
B Z #712257
This update aprovides read-only access to ensure that the remote CIM access cannot
modify the system state. This is useful when CIM is used only for monitoring and other
software is used for virtualization management.
All libvirt-cim users are advised to upgrade to this updated package, which fixes this bug and adds
these enhancements.
4 .152. libvirt -qmf
4 .152.1. RHBA-2012:0525 — libvirt -qmf bug fix updat e
Updated libvirt-qmf packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The libvirt-qmf packages provide an interface with libvirt using Qpid Management Framework (QMF),
which utilizes the Advanced Message Queuing Protocol (AMQP). AMQP is an open standard
application layer protocol providing reliable transport of messages.
Bug Fix
B Z #8079 31
Qpid APIs using the libpidclient and libpidcommon libraries are not application binary
interface (ABI) stable. These dependencies have been removed so that Qpid rebuilds do not
affect the libvirt-qmf packages.
All users of libvirt-qmf are advised to upgrade to these updated packages, which fix this bug.
4 .153. libvorbis
4 .153.1. RHSA-2012:0136 — Import ant : libvorbis securit y updat e
Updated libvorbis packages that fix one security issue are now available for Red Hat Enterprise
Linux 4, 5, and 6.
The libvorbis packages contain runtime libraries for use in programs that support Ogg Vorbis. Ogg
Vorbis is a fully open, non-proprietary, patent-and royalty-free, general-purpose compressed audio
format.
Secu rit y Fix
C VE- 2012- 04 4 4
A heap-based buffer overflow flaw was found in the way the libvorbis library parsed Ogg
Vorbis media files. If a specially-crafted Ogg Vorbis media file was opened by an
application using libvorbis, it could cause the application to crash or, possibly, execute
266
application using libvorbis, it could cause the application to crash or, possibly, execute
Users of libvorbis should upgrade to these updated packages, which contain a backported patch to
correct this issue. The desktop must be restarted (log out, then log back in) for this update to take
effect.
4 .154 . libxklavier
4 .154 .1. RHBA-2012:0005 — libxklavier bug fix updat e
An updated libxklavier package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The libxklavier library provides a high-level API for the X Keyboard Extension (XKB) that allows
extended keyboard control. This library supports X.Org and other commercial implementations of the
X Window system. The library is useful for creating XKB-related software, such as layout indicators.
This update fixes the following bug:
B Z #76 726 7
D ue to the way how the NoMachine NX Free Edition server implements XInput support, an
attempt to log into the server using an NX or VNC client triggered an XInput error that was
handled incorrectly by the libxklavier library. Consequently, the GNOME Settings D aemon
(gnome-settings-daemon) was terminated with signal 6 (SIGABRT). To resolve this problem,
the XInput error handling routine in the libxklavier library has been modified. The library
now ignores this error and gnome-settings-daemon runs correctly under these conditions.
All users of libxklavier are advised to upgrade to this updated package, which fixes this bug.
4 .155. libxml2
4 .155.1. RHSA-2011:174 9 — Low: libxml2 securit y and bug fix updat e
Updated libxml2 packages that fix several security issues and various bugs are now available for
Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available
for each vulnerability from the CVE link(s) associated with each description below.
The libxml2 library is a development toolbox providing the implementation of various XML standards.
One of those standards is the XML Path Language (XPath), which is a language for addressing parts
of an XML document.
Secu rit y Fixes
C VE- 2011- 0216
An off-by-one error, leading to a heap-based buffer overflow, was found in the way libxml2
parsed certain XML files. A remote attacker could provide a specially-crafted XML file that,
when opened in an application linked against libxml2, would cause the application to
crash or, potentially, execute arbitrary code with the privileges of the user running the
application.
C VE- 2011- 19 4 4
267
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way
libxml2 parsed certain XPath expressions. If an attacker were able to supply a speciallycrafted XML file to an application using libxml2, as well as an XPath expression for that
application to run against the crafted file, it could cause the application to crash or,
possibly, execute arbitrary code.
C VE- 2010- 4 008, C VE- 2010- 4 4 9 4 , C VE- 2011- 2821, C VE- 2011- 2834
Multiple flaws were found in the way libxml2 parsed certain XPath expressions. If an
attacker were able to supply a specially-crafted XML file to an application using libxml2, as
well as an XPath expression for that application to run against the crafted file, it could
cause the application to crash.
Note: Red Hat does not ship any applications that use libxml2 in a way that would allow the CVE2011-1944, CVE-2010-4008, CVE-2010-4494, CVE-2011-2821, and CVE-2011-2834 flaws to be
exploited; however, third-party applications may allow XPath expressions to be passed which could
trigger these flaws.
Red Hat would like to thank the Google Security Team for reporting the CVE-2010-4008 issue.
Upstream acknowledges Bui Quang Minh from Bkis as the original reporter of CVE-2010-4008.
Bug Fixe s
B Z #732335
A number of patches have been applied to harden the XPath processing code in libxml2,
such as fixing memory leaks, rounding errors, XPath numbers evaluations, and a potential
error in encoding conversion.
All users of libxml2 are advised to upgrade to these updated packages, which contain backported
patches to correct these issues. The desktop must be restarted (log out, then log back in) for this
4 .155.2. RHSA-2012:0018 — Import ant : libxml2 securit y updat e
Updated libxml2 packages that fix two security issues are now available for Red Hat Enterprise Linux
6.
Secu rit y Fixes
C VE- 2011- 39 19
A heap-based buffer overflow flaw was found in the way libxml2 decoded entity references
with long names. A remote attacker could provide a specially-crafted XML file that, when
opened in an application linked against libxml2, would cause the application to crash or,
potentially, execute arbitrary code with the privileges of the user running the application.
C VE- 2011- 39 05
An out-of-bounds memory read flaw was found in libxml2. A remote attacker could provide
a specially-crafted XML file that, when opened in an application linked against libxml2,
would cause the application to crash.
268
All users of libxml2 are advised to upgrade to these updated packages, which contain backported
patches to correct these issues. The desktop must be restarted (log out, then log back in) for this
4 .155.3. RHSA-2012:0324 — Moderat e: libxml2 securit y updat e
Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux
5 and 6.
Secu rit y Fix
C VE- 2012- 084 1
It was found that the hashing routine used by libxml2 arrays was susceptible to predictable
hash collisions. Sending a specially-crafted message to an XML service could result in
longer processing time, which could lead to a denial of service. To mitigate this issue,
randomization has been added to the hashing function to reduce the chance of an attacker
successfully causing intentional collisions.
All users of libxml2 are advised to upgrade to these updated packages, which contain a backported
patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to
take effect.
4 .156. lldpad
4 .156.1. RHBA-2011:1604 — lldpad bug fix and enhancement updat e
An updated lldpad package that fixes several bugs and adds various enhancements is now
The lldpad package provides the Linux user space daemon and configuration tool for Intel's Link
Layer D iscovery Protocol (LLD P) agent with Enhanced Ethernet support.
The lldpad package has been upgraded to upstream version 0.9.43, which provides a number of
Bug Fixe s
B Z #74 9 057
The Brocade 8000 Fibre Channel Forwarder (FCF) switch with FabOs 6.4.2b failed to
process the CEE TLV frame on fabric session startup (started by the llpad). As a
consequence, the Brocade 8000 Fibre Channel Forwarder (FCF) switch with FabOs 6.4.2b
terminated the connection and subsequent fabric logins failed when IEEE 802.1Qaz D CBX
was enabled. With this update, the llptool utility can configure lldpad not to use the CEE
TLV frame for the fabric session initiation (for the eth3 device, the initiator should issue the
" lldptool -T -i eth3 -V IEEE-D CBX mode=reset" command) and the problem no longer
occurs.
B Z #6 9 4 6 39
269
The lldpad service triggered excessive timeout events every second. This caused the
service to consume excess resources. Now, the lldpad service has been switched from
polling-based to a demand-based model. This prevents excessive timeout event generation
and ensures that the service consumes only the expected resources.
B Z #733123
The lldpad utility did not detect the maximum number of traffic classes supported by a
device correctly. This resulted in an invalid or incorrect hardware configuration. Now, the
utility detects the maximum number of traffic classes correctly.
B Z #720825, B Z #74 4 133
The Edge Control Protocol (ECP) could not verify whether a port lookup was successful
when running Virtual D iscovery and Configuration Protocol (VD P) on bonded devices
because VD P does not support bonded devices. As a consequence, the LLD P agent
terminated unexpectedly with a segmentation fault. With this update, VD P is no longer
initialized on bonded devices and the crash no longer occurs.
B Z #6 4 7211
The lldpad utility failed to initialize correctly on the Intel 82599ES 10 Gigabit Ethernet
Controller (Niantic) with virtual functions enabled and returned a message that there were
too many neighbors. With this update, lldpad initializes correctly and the problem no longer
occurs.
B Z #735313
Prior to this update, a user with non-superuser permissions could start the lldpad service.
With this update the lldpad init scripts have been modified and a user with non-superuser
permissions can no longer start the service.
B Z #6 83837
The init script did not perform a line feed when returning the output of a service command.
With this update, the init script has been recoded and the output of the service command is
correct.
B Z #720730
The get_bcn() function returned without freeing the nlh variable, which caused a memory
leak. The function has been modified and the memory leak no longer occurs.
B Z #74 1359
The lldpad daemon failed to detect that a NIC (Network Interface Card) had the offloaded
D CBX (D ata Center Bridging eXchange) stack implemented in its firmware. As a
consequence, the lldp packets were send by both, the daemon and the NIC. With this
update, the lldpad daemon no longer sends the packets if a NIC driver implements the
offloaded D CBX stack.
B Z #74 9 9 4 3
The lldpad utility incorrectly accessed memory. With this update, the utility accesses the
memory correctly.
Enhance m e nt
B Z #6 9 5550
270
The lldpad package now supports the 802.1Qaz standard (Enhanced Transmission
Selection for Bandwidth Sharing Between Traffic Classes).
Users are advised to upgrade to this updated lldpad package, which fixes these bugs and adds
these enhancements.
4 .156.2. RHBA-2012:0694 — lldpad bug fix updat e
Updated lldpad packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The lldpad packages provides the Linux user space daemon and configuration tool for Intel's Link
Bug Fix
B Z #822377
The lldpad tool is initially invoked by initrd during the boot process to support Fibre
Channel over Ethernet (FCoE) boot from a Storage Area Network (SAN). The runtime lldpad
init script did not kill lldpad before restarting it after system boot. Consequently, lldpad
could not be started normally after system boot. With this update, the lldpad init script now
contains the " -k" option to terminate the first instance of lldpad that was started during
system boot.
All users of lldpad are advised to upgrade to these updated packages, which fix this bug.
4 .156.3. RHBA-2012:0728 — lldpad bug fix updat e
Updated lldpad packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The lldpad packages provide the Linux user space daemon and configuration tool for Intel's Link
Bug Fix
B Z #8286 83
Previously, dcbtool commands could, under certain circumstances, fail to enable the Fibre
Channel over Ethernet (FCoE) application type-length-values (TLV) for a selected interface
during the installation process. Consequently, various important features might have not
been enabled (for example priority flow control, or PFC) by the D ata Center Bridging
eXchange (D CBX) peer. To prevent such problems, application-specific parameters (such
as the FCoE application TLV) in D CBX are now enabled by default.
All users of lldpad are advised to upgrade to these updated packages, which fix this bug.
4 .157. lohit -assamese-font s
4 .157.1. RHEA-2011:1138 — lohit -assamese-font s enhancement updat e
An updated lohit-assamese-fonts package which adds one enhancement is now available for Red
The lohit-assamese-fonts package provides a free Assamese TrueType/OpenType font.
271
Enhance m e nt
B Z #6 9 1284
Unicode 6.0, the most recent major version of the Unicode standard, introduces the Indian
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohitassamese-fonts package now includes a glyph for this new character.
All users requiring the Indian rupee sign should install this updated package, which adds this
enhancement.
4 .158. lohit -bengali-font s
4 .158.1. RHEA-2011:114 1 — lohit -bengali-font s enhancement updat e
An updated lohit-bengali-fonts package which adds one enhancement is now available for Red Hat
Enterprise Linux 6.
The lohit-bengali-fonts package provides a free Bengali TrueType/OpenType font.
Enhance m e nt
B Z #6 9 1285
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohitbengali-fonts package now includes a glyph for this new character.
enhancement.
4 .159. lohit -gujarat i-font s
4 .159.1. RHEA-2011:1134 — lohit -gujarat i-font s enhancement updat e
An updated lohit-gujarati-fonts package which adds one enhancement is now available for Red Hat
Enterprise Linux 6.
The lohit-gujarati-fonts package provides a free Gujarati TrueType/OpenType font.
Enhance m e nt
B Z #6 9 1287
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohitgujarati-fonts package now includes a glyph for this new character.
enhancement.
4 .160. lohit -kannada-font s
272
4 .160.1. RHEA-2011:114 0 — lohit -kannada-font s enhancement updat e
An updated lohit-kannada-fonts package which adds one enhancement is now available for Red Hat
Enterprise Linux 6.
The lohit-kannada-fonts package provides a free Kannada TrueType/OpenType font.
Enhance m e nt
B Z #6 9 1289
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohitkannada-fonts package now includes a glyph for this new character.
enhancement.
4 .161. lohit -malayalam-font s
4 .161.1. RHEA-2011:1136 — lohit -malayalam-font s enhancement updat e
An updated lohit-malayalam-fonts package which adds one enhancement is now available for Red
The lohit-malayalam-fonts package provides a free Malayalam TrueType/OpenType font.
Enhance m e nt
B Z #6 9 129 0
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohitmalayalam-fonts package now includes a glyph for this new character.
enhancement.
4 .162. lohit -oriya-font s
4 .162.1. RHEA-2011:1137 — lohit -oriya-font s enhancement updat e
An updated lohit-oriya-fonts package which adds one enhancement is now available for Red Hat
Enterprise Linux 6.
The lohit-oriya-fonts package provides a free Oriya TrueType/OpenType font.
Enhance m e nt
B Z #6 9 129 3
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohitoriya-fonts package now includes a glyph for this new character.
273
enhancement.
4 .163. lohit -punjabi-font s
4 .163.1. RHEA-2011:1135 — lohit -punjabi-font s enhancement updat e
An updated lohit-punjabi-fonts package which adds one enhancement is now available for Red Hat
Enterprise Linux 6.
The lohit-punjabi-fonts package provides a free Punjabi TrueType/OpenType font.
Enhance m e nt
B Z #6 9 129 4
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohitpunjabi-fonts package now includes a glyph for this new character.
enhancement.
4 .164 . lohit -t amil-font s
4 .164 .1. RHEA-2011:1139 — lohit -t amil-font s enhancement updat e
An updated lohit-tamil-fonts package which adds one enhancement is now available for Red Hat
Enterprise Linux 6.
The lohit-tamil-fonts package provides a free Tamil TrueType/OpenType font.
Enhance m e nt
B Z #6 9 129 5
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohittamil-fonts package now includes a glyph for this new character.
enhancement.
4 .165. lohit -t elugu-font s
4 .165.1. RHEA-2011:114 2 — lohit -t elugu-font s enhancement updat e
An updated lohit-telugu-fonts package which adds one enhancement is now available for Red Hat
Enterprise Linux 6.
The lohit-telugu-fonts package provides a free Telugu TrueType/OpenType font.
Enhance m e nt
274
B Z #6 9 129 7
Rupee Sign (U+20B9), the new official Indian currency symbol. With this update, the lohittelugu-fonts package now includes a glyph for this new character.
enhancement.
4 .166. lsof
4 .166.1. RHEA-2011:1753 — lsof enhancement updat e
An updateed lsof package that adds one enhancement is now available for Red Hat Enterprise Linux
6.
The lsof package provides the LiSt Open Files (LSOF) tool to list information about files that are open
and running on a Linux/UNIX system.
Enhance m e nt
B Z #6 714 80
This enhancement update adds the new option +|-e s to lsof which exempts file systems with
the path name " s" from being subjected to kernel function calls that might block. Note, that
only the first +|-e argument is processed and the rest is ignored.
All users of lsof are advised to upgrade to this updated package, which add this enhancement.
4 .167. luci
4 .167.1. RHBA-2011:1510 — luci bug fix and enhancement updat e
An updated luci package that fixes multiple bugs and adds various enhancements is now available
The luci package contains a web-based high availability cluster configuration application.
B u g Fixes
B Z #59 9 074
When defining a cluster and checking the Use the Same P asswo rd fo r Al l No d es
box, an error message, saying that the user did not enter a password for any of the clusters
except the first one, appeared after the user had submitted the changes. The password
synchronization was triggered only once by checking the box. As a consequence, if no
password was entered before checking the box, none could be copied into the other
password fields. This update fixes the problem so that filling any single password field in
the form causes the password to be correctly submitted for every node affected.
B Z #6 32536
275
Upgrading or downgrading the luci package could result in SELinux AVC (SecurityEnhanced Linux Access Vector Cache) denials due to the python applications searching
for local customizations in the Ho me directory. With this update, Python's paste tool now
uses the -Es flag, and so avoids this behavior.
B Z #6 39 121
If changes were made in any of the lightbox dialog boxes, a dialog box was hidden instead
of being reset after it had been closed. As a consequence, when the dialog box was
reopened, it was in the same state as before closing. The only way to reset the state of the
dialog box was to refresh the page in the browser. Now, when the user closes the existing
dialog box, the page refreshes automatically instead of trying to recreate the initial state.
B Z #6 4 34 88
Previously, titles of certain dialog boxes in the lu ci UI contained inconsistent character
casing. Now, character casing is consistent in all titles.
B Z #703574
Previously, lu ci did not provide any way to back up or restore the content of the database.
With this update, the content of the lu ci database located in
/var/l i b/l uci /d ata/l uci . d b can be fully backed up and restored.
B Z #705111
In lu ci, when editing a failover domain that had both the R estri cted and P ri o ri ti zed
boxes unchecked, adding of a node had no effect. The operation appeared to be
successful, however the node was not added to the domain in the cluster.conf file. With this
update, nodes can be successfully added to the failover domain. Removing nodes from the
failover domain now works correctly as well.
B Z #705884
Previously, a bug in lu ci resulted in lu ci not being able to parse lines which contained the
name of a service ending with the " .1" suffix. As a consequence, when importing a cluster,
lu ci logged an error or displayed the Error 500 message in the browser. This update
removes the bug and lu ci can now parse names ending with " .1" correctly.
B Z #7079 18
When the user created a file system resource and then tried to edit any field of a cluster
service, an error message was printed and the changes were not applied. With this update,
the source code is modified so that the changes are successfully applied.
B Z #708205
Previously, the R un Excl usi ve checkbox on the administration panel for a service group
did not correspond to the configuration of this service group's entry in the cl uster. co nf
file. The R un Excl usi ve option was enabled in lu ci by default, without it being manually
enabled, and services could therefore become exclusive without users knowing about it.
Now, lu ci is modified to correspond with the cl uster. co nf file: if the Run Exclusive
option is not enabled, the checkbox is not checked.
B Z #7116 25
D ue to lu ci not showing the migrate action for virtual machines, the Error 500 error
message could appear when attempting to create a cluster of KVM (Kernel-based Virtual
Machine) guests. With this update, lu ci is modified so that the services can be started and
edited successfully.
276
B Z #714 285
Prior to this update, the stop/start service was performed instead of migration when
migrating a virtual machine by choosing the Mi g rate to no d e. . . option in the drop
down menu on the Service D etails page. With this update, the source code is modified to
successfully complete the migration of virtual machines using the web interface.
B Z #718355
Prior to this update, if Lo g d ebug g i ng messag es and Lo g messag es to l o g fi l e
were enabled in the Logging page and the user entered a file path in the textbox below, the
Error 500 message appeared. The changes to logging could not be submitted as a
consequence. This problem has been fixed and changes to logging are submitted correctly.
B Z #729 730
Prior to this update, lu ci served web pages and XHTML documents for most of the web
browsers with the " application/xhtml+xml" content type and with " application/xml and
" text/html" as failback. Web pages for the Internet Explorer browser were consistently served
with the " text/html" content type. As a consequence, users were unable to open the URL of
the luci server using Internet Explorer 8.0 and an error message appeared instead. With this
update, web pages are permanently served with the " text/html" content type. The login page
shows up correctly and users are able to log in.
B Z #733084
When trying to save an empty value for an option that used to be non-empty before instead
of removing such option from the cluster.conf file, it was saved as the previous non-empty
value. If the user attempted to clear options for a virtual machine service that he had been
configured, lu ci did not save configuration for the service and it was therefore impossible
to clear them using only the web interface. This problem has been fixed and the options are
now cleared properly.
B Z #73379 7
Previously, lu ci did not start a service on a preferred node. When the user chose a service
with a failover domain on the Service Groups page, a service started on the first node even
if the user did not choose the first node as the preferred one. Now, the Submit button is used
instead of a link for the headers_detail form and thus fixes the problem.
En h an cemen t s
B Z #522005
The previous version of lu ci did not provide any role-based access control system. With
this update, lu ci contains a new system for managing user roles. Multiple users can now
gain various privileges for managing or accessing clusters.
B Z #6 71285
Now, a warning message is displayed when the user logs in for the first time in the lu ci UI.
The text warns users about possible problems related to managing clusters using the UI
with no further knowledge of clustering.
B Z #6 6 4 036
This update provides a confirmation dialog box, which appears when removing cluster
nodes or the whole cluster by selecting all the nodes and clicking the D elete button.
B Z #705072
277
This update adds support for the new fence_vmware fence agent.
Users of luci are advised to upgrade to this updated package, which fixes these bugs and adds these
enhancements.
4 .168. lvm2
4 .168.1. RHBA-2011:1522 — lvm2 bug fix and enhancement updat e
Updated lvm2 packages that fix several bugs and add three enhancements are now available for
The lvm2 packages contain support for Logical Volume Management (LVM).
B u g Fixes
B Z #74 3112
D ue to locking errors, multiple failed cmirror devices were unable to be replaced. With this
update, the underlying source code has been modified to address this issue, and the
aforementioned devices are correctly replaced should a failure occur.
B Z #6 9 6 251
Prior to this update, extending a mirror volume beyond available extents while using the
cling by tags allocation policy did not work properly. Normally, such an action returns an
error message informing the user that there are insufficient allocatable extents for use.
However, this check failed and caused a volume to be corrupted. Because the allocation
code has been revised, restructured, and made more robust, the problematic scenario with
extending mirror volumes while using the cling by tags policy no longer occurs.
B Z #6 84 083
While performing extensive I/O operations in the background, the pvmo ve command could
become unresponsive. With this update, the underlying source code has been modified to
address this issue, and the pvmo ve command no longer hangs.
B Z #733320
When a striped logical volume was resized with the l vresi ze command, the size was
rounded down to the stripe boundary. This could pose a problem when shrinking the
volume with a file system on it. Even if a user determined the new size so that the file system
did fit entirely onto the volume, and resized the volume, the alignment done by the
l vresi ze command might have cut off a part of the file system, causing it to become
corrupted. This update fixes the rounding for striped volumes so that a volume is never
reduced more than requested.
B Z #59 4 525
Prior to this update, placing mirror legs on different physical devices with the l vcreate -al l o c anywhere command did not guarantee placement of data on different physical
devices. With this update, the above command tries to allocate each mirror image on a
separate device first before placing it on a device that is already used.
B Z #737087
If the l vcreate command was used with large physical volumes while using %FR EE, %VG ,
%P VS or %O R IG IN for size definition, the resulting LV size was incorrectly calculated. This
278
was caused by an integer overflow while calculating the percentages. This update provides
a better way of calculating the sizes, by using proper typecasting, so that the overflow no
longer occurs.
B Z #71519 0
Several LVM locking error and warning messages were returned during the system start-up
which were caused by cluster locking (configured globally in /etc/l vm/l vm. co nf). At
the early stage of the system start-up, when the early init script tries to activate any existing
VGs, the cluster infrastructure is still not initialized (as well as the network interface) and
therefore cluster locking cannot be used and the system falls back to file-based locking
instead, causing several misleading error and warning messages to be returned. With this
update, these error and warning messages are suppressed during the system start-up, and
the system falls back to usable locking mechanism silently.
B Z #71214 7
The vg i mpo rtcl o ne script triggered a code path in LVM that caused it to access alreadyreleased memory when a duplicated PV was found. Consequently, the VG that contained
such PV was found to be inconsistent and the process ended up with a failure to read the
VG. This update fixes this failure by saving such problematic strings to a temporary buffer,
and thus avoiding improper memory access.
B Z #6 9 79 4 5
The cluster LVM daemon (cl vmd ) was crashing when attempting to create a high number of
volume groups at once. This was caused by the limit set by the number of available file
descriptors per process. While cl vmd was creating pipes and the limit was reached under
the pressure of high number of requests, cl vmd did not return an error but continued to
use uninitialized pipes instead, eventually causing it to crash. With this update, cl vmd now
returns an error message immediately if the pipe creation fails.
B Z #734 19 3
When using striped mirrors, improper and overly-restrictive divisibility requirements for the
extent count could cause a failure to create a striped mirror, even though it was correct and
possible. The condition that was checked counted in the mirror count and the stripe count,
though, only the stripe count alone was satisfactory. This update fixes this, and creating a
striped mirror no longer fails.
B Z #73214 2
Before, an improper activation sequence was used while performing an image split
operation. That caused a device-mapper table to be loaded while some of processed
devices were known to be suspended. This has been fixed and the activation sequence has
been reordered so that the table is always loaded at proper time.
B Z #570359
Issuing an l vremo ve command could cause a failure to remove a logical volume. This
failure was caused by processing an asynchronous udev event that kept the volume
opened while the l vremo ve command tried to remove it. These asynchronous events are
triggered when the watch udev rule is applied (it is set for device-mapper/LVM2 devices
when using the udisks package that installs /l i b/ud ev/rul es. d /80 -ud i sks. rul es).
To fix this issue, the number of device open calls in read-write mode has been minimized
and read-only mode is used internally if possible (the event is generated when closing a
device that has the watch rule set and is closed after a read-write open).
279
Although this fixes a problem when opening a device internally within the command
execution, the failure could still occur when using several commands quickly in a sequence
where each one opens a device for read-write and then closes it immediately (for example in
a script). In such a case, it is advisable to use the ud evad m settl e command in between.
B Z #6 9 5526
With this update, when using the l vco nvert command, the Unable to create a snapshot of
a locked|pvmove|mirrored LV error message has been changed to Unable to convert an LV
into a snapshot of a locked|pvmove|mirrored LV. for clarity reasons.
B Z #7114 4 5
A hostname containing the slash character (“ /” ) caused LVM commands to fail while
generating an archive of current metadata. Because a hostname is a part of the temporary
archive file name, a file path that was ambiguous was created, which caused the whole
archive operation to fail. This update fixes this by replacing any slash character (“ /” ) with
a question mark character (“ ?” ) in the hostname string and then is used to compose the
temporary archive file name.
B Z #712829
An issue was discovered when running several commands in parallel that activated or
deactivated an LV or a VG. The symbolic links for LVs in /d ev were created and removed
incorrectly, causing them to exist when the device had already been removed or vice versa.
This problem was caused by the fact that during the activation there was no write lock held
that would protect individual activation commands as a whole (there was no metadata
change). Together with non-atomicity of checking udev operations, an improper decision
was made in the code based on the already stale information. This triggered a part of the
code that attempted to repair the symbolic links as a fallback action.
To fix this, these checks are no longer run by default, thus fully relying on u d ev. However,
the old functionality can still be used for diagnosing other u d ev related problems by setting
a new veri fy_ud ev_o perati o ns option found in the acti vati o n section of the
/etc/l vm/l vm. co nf file.
B Z #728157
This update removes the unsupported --fo rce option from the l vrename manpage.
B Z #74 39 32
With this update, the vg spl i t command is now able to split a volume group containing a
mirror with mirrored logs.
En h an cemen t s
B Z #6 23808
Prior to this update, it was not possible to create a PV object with all properties calculated
(for example, the PE start value) without a need to write the PV label on the disk while using
an LVM2 library (lvm2ap p ). This has been changed so that the PV label is written out later
in the process as a part of the l vm_vg _wri te call, making it possible to calculate all PV
properties and query them without actually writing the PV label on the disk.
B Z #6 514 9 3
This update adds support for issuing discards (TRIM) as part of lvm2 operations.
280
B Z #729 712
In Red Hat Enterprise Linux 6.2, support for MD 's RAID personalities has been added to
LVM as a Technology Preview. For more information about this feature, refer to the Red Hat
Enterprise Linux 6.2 Release Notes.
Users are advised to upgrade to these updated lvm2 packages, which resolve these issues and add
these enhancements.
4 .169. mailcap
4 .169.1. RHBA-2011:1118 — mailcap bug fix updat e
An updated mailcap package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The mailcap package contains the mailcap file, which is used by the metamail program. Metamail
reads the mailcap file to determine how it should display non-text or multimedia material. mailcap
associates a particular type of file with a particular program that a mail agent or other program can
call in order to handle the file. Mailcap should be installed to allow certain programs to be able to
handle non-text files.
Bug Fix
B Z #6 1079 3
Prior to this update, the mime.types database did not contain the WebM MIME type
(video/webm). The problem has been resolved in this update by including the MIME type in
the database.
All users of mailcap are advised to upgrade to this updated package, which fixes this bug.
4 .170. mailman
4 .170.1. RHBA-2011:1275 — mailman bug fix updat e
An updated mailman package that fixes various bugs is now available for Red Hat Enterprise Linux
6.
Mailman is a program used to help manage email discussion lists.
Bug Fixe s
B Z #704 6 9 9 , B Z #703389
Previously, a number of Python scripts and subdirectories in the /usr/lib/mailman/ directory
were group writable. As a result, the respective files and subdirectories could have been
changed not only by the owner, but also by other users in the same user group. This
undesired behavior has been resolved in this update so that only the owner can now
change the files and subdirectories.
B Z #6 84 6 22
Because of a bug in the brp-python-compile script file, unnecessary
/etc/mailman/mm_cfg.pyc and /etc/mailman/mm_cfg.pyo files were generated under certain
circumstances. As a result, the Mailman build process could have failed. This update fixes
281
the aforementioned bug by compiling Python script files manually so that the build process
no longer fails.
B Z #6 36 825
In accordance with current guidelines, all Python executable files have been updated to
use the Python executable file directly, that is the " #!/usr/bin/python" string instead of
" #!/usr/bin/env python" .
All users of mailman are advised to upgrade to this updated package, which fixes these bugs.
4 .171. man-pages-ja
4 .171.1. RHBA-2011:0962 — man-pages-ja bug fix updat e
An updated man-pages-ja package that fixes multiple bugs is now available for Red Hat Enterprise
Linux 6.
The man-pages-ja package contains Japanese translations of the Linux D ocumentation Project man
pages.
Bug Fixe s
B Z #579 6 4 1
Prior to this update, the man-pages-ja package did not contain the Japanese translations
of the man pages of the " halt" , " init" , " poweroff" , " reboot" , " runlevel" , " shutdown" , and
" telinit" commands. With this update, the aforementioned man page translations have been
added.
B Z #6 82122
Prior to this update, the Japanese translation of the getpriority(2) man page contained a
typo in the range of " nice values" . This update corrects the typo.
B Z #6 9 9 301
Prior to this update, the Japanese translation of the wall(1) man page contained a typo in
the description of the message length limit. This update corrects the typo.
B Z #710704
Prior to this update, the Japanese translation of the tar(1) man page did not contain
descriptions of the " --selinux" and " --no-selinux" options. With this update, the missing
descriptions have been added.
All users of man-pages-ja are advised to upgrade to this updated package, which fixes these bugs.
4 .172. man-pages-overrides
4 .172.1. RHBA-2011:1571 — man-pages-overrides bug fix updat e
An updated man-pages-overrides package that fixes multiple bugs is now available for Red Hat
Enterprise Linux 6.
282
[Updated 28 March 2012] This advisory has been updated with the correct description for bug
688543. The package included in this revised update has not been changed in any way from the
package included in the original advisory.
The man-pages-overrides package contains a collection of manual (man) pages to complement
other packages or update those contained therein.
Bug Fixe s
B Z #6 1589 7
Previously, a manual page for the lsmsr utility was missing. This update adds the lsmsr(8)
manual page.
B Z #6 56 24 5
Previously, a manual page for the fattach function was missing. This update adds the
fattach(2) manual page.
B Z #6 74 4 23
Previously, a manual page for the recvmmsg call was missing. This update adds the
recvmmsg(2) manual page.
B Z #7284 16
Previously, a manual page for the sendmmsg call was missing. This update adds the
sendmmsg(2) manual page.
B Z #6 8854 3
Prior to this update, the lscfg(8), lsmcode(8), lsmsr(8), lsvio(8), and vpdupdate(8) manual
pages did not document multiple lsvpd options. This update adds all missing options to the
manual pages.
B Z #6 9 0187
Previously, manual pages for the cciss and hpsa utilities were missing. This update adds
the cciss(4) and hpsa(4) manual pages.
B Z #73004 2
Previously, a manual page for the cpufreq-aperf utility was missing. This update adds the
cpufreq-aperf(1) manual page.
B Z #709 058
Previously, the ntp-keygen(8) manual page contained multiple typos. This update corrects
these typos.
B Z #709 274
Previously, the ntpq(8) manual page contained multiple typos. This update corrects these
typos.
B Z #712256
Previously, the volume_key(8) manual page contained a typo. This update corrects this
typo.
B Z #727526
283
Previously, the curl(1) manual page contained a typo. This update corrects this typo.
B Z #7316 9 0
Previously, multiple ecryptfs manual pages contained an incorrect link in the SEE ALSO
section. With this update, the link is now fixed.
B Z #734 836
Previously, the clock_gettime(2), clock_getres(2), and clock_nanosleep(2) manual pages
did not mention the " -lrt" option. With this update, the " -lrt" option is now described in the
corresponding manual pages.
B Z #6 9 8151
The host.conf(5) manual page contained a description for the unsupported " order"
keyword. With this update, the description of the " order" keyword is removed.
B Z #74 209 8
Previously, the nfs(5) manual page contained an inaccurate description of the " timeo"
option. With this update, the description is now enhanced.
B Z #74 06 70
Previously, the vsftpd.conf(5) manual page contained incorrect information about the
default values of the " max_per_ip" option. With this update, the information is now fixed.
B Z #6 02228
With this update, the new multicast feature is now described in the brctl(8) manual page.
B Z #717770
With this update, the " single-request-reopen" option is now described in the resolv.conf(5)
manual page.
B Z #72379 1
With this update, the new UMOUNT_NOFOLLOW flag is described in the umount(2) manual
page.
B Z #6 9 4 86 0
With this update, usage of SSSD in the nsswitch.conf file is now described in the
nsswitch.conf(5) manual page.
B Z #719 9 02
This update removes multiple manual pages from the original package.
All users of man-pages-overrides are advised to upgrade to this updated package, which fixes these
bugs.
4 .173. mat ahari
4 .173.1. RHBA-2011:1569 — mat ahari bug fix and enhancement updat e
284
Updated matahari packages that fix multiple bugs and add various enhancements are now available
The matahari packages provide a set of APIs for operating system management that are exposed to
remote access over the Qpid Management Framework (QMF).
Bug Fixe s
B Z #6 8819 3
Prior to this update, the matahari services agent could not monitor the status of a system
service. As a consequence, matahari could not be used in high-availability (HA)
environments where status monitoring is a requirement. With this update, the user of the
services agent can specify the frequency for the status check and the matahari services
agent can now provide service health information for applications such as HA.
B Z #714 24 9
Prior to this update, the wrong CPU core count was returned when requesting the CPU core
count from the matahari host agent. With this update, matahari and the supporting library,
sigar, have been modified to ensure that the core count is not improperly affected by
hyperthreading support. Now, the expected CPU core count is returned.
B Z #729 06 3
Prior to this update, the host agent included only time related metadata when producing
heartbeat events. As a consequence, it was problematic to associate heartbeat events with
the host they originated from, especially in logs. With this update, the heartbeat events
produced by the Host agent include the hostname and the hardware's Universally Unique
Identifier (UUID ) as additional metadata. Now, it is easier to associate the host agent
heartbeat events with the host they originated from.
B Z #7324 9 8
Prior to this update, the data address for matahari QMF objects was inconsistent. As a
consequence, the data address for some agents was the class name, for others it was a
UUID . This update uses consistently the class name as the data address. Now, the data
address across all matahari agents is consistent.
Enhance m e nt s
B Z #6 6 34 6 8
Prior to this update, matahari only supported IBM eServer xSeries 366, AMD 64 and Intel 64
architectures. This update adds support for PowerPC and IBM System z architectures as a
Technology Preview.
B Z #6 88181
This update adds support for QMF to allow for kerberos authentication.
B Z #6 8819 1
With this update, matahari includes an agent for system configuration to support updating
the system configuration with both puppet and augeas.
B Z #7354 19
Prior to this update, users could only specify a hostname or IP address. As a consequence,
285
a dynamically updated list of brokers to connect to was not provided. With this update,
matahari supports querying for D NS SRV records to determine the broker, or the list of
brokers to connect to. Now administrators can use D NS SRV to control where matahari
agents connect to.
All users of matahari are advised to install these packages, which fix these bugs and add these
enhancements.
4 .173.2. RHBA-2012:0511 — mat ahari bug fix updat e
Updated matahari packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The matahari packages provide a set of APIs for operating system management that are exposed to
remote access over the Qpid Management Framework (QMF).
Bug Fix
B Z #806 76 6
Qpid APIs using the libpidclient and libqpidcommon libraries are not application binary
interface (ABI) stable. These dependencies have been removed so that Qpid rebuilds do not
affect the matahari packages.
All users of matahari are advised to upgrade to these updated packages, which fix this bug.
4 .174 . mcelog
4 .174 .1. RHEA-2011:1579 — mcelog enhancement updat e
An enhanced mcelog package is now available for Red Hat Enterprise Linux 6.
mcelog is a daemon that collects and decodes Machine Check Exception data on AMD 64 and Intel
64 machines.
Enhance m e nt
B Z #6 9 9 59 2
This update enables full Predictive Failure Analysis (PFA) support in mcelog. Predictive
Failure Analysis (PFA) is a technology for monitoring the probability of hard disk drive
failure.
In addition, mcelog is now able to collect and log data by default upon package
installation.
Users of mcelog are advised to upgrade to this updated package, which adds these enhancements.
4 .175. mdadm
4 .175.1. RHBA-2011:1520 — mdadm bug fix updat e
An updated mdadm package that fixes several bugs is now available for Red Hat Enterprise Linux 6.
The mdadm package contains a utility for creating, managing, and monitoring Linux MD (multiple
disk) devices.
286
B u g Fixes
B Z #6 9 226 1
The mdadm utility incorrectly detected an IMSM (Intel Matrix Storage Manager) RAID device
that was in the resync status, as being in the reshape status. As a consequence, mdadm
rejected to assemble the IMSM RAID device as an external data file is needed to reassemble
a device in the reshape status. If booting from the IMSM RAID device, the boot process
could fail under these circumstances. With this update, mdadm detects that an IMSM RAID
device is in the resync mode, assembles the device correctly, and launches its
synchronization.
B Z #6 9 4 083
When an array was changing the RAID level from redundant to non-redundant, the mdmon
monitoring tool failed to close. As a consequence, mdmon applied the initial structure to the
new array and mdadm could terminate with a segmentation fault. With this update, the
underlying code has been modified and mdmon closes under these circumstances.
B Z #702270
The resync progress of an array, which was already partially resynchronized, was reset to
zero and the resync process was restarted. This occurred if a newly-assembled array
requested resync and reset the progress of another array from the container which was
already partially resynchronized. With this update, the underlying code has been modified
and a degraded RAID continues its resync from the point it had reached on previous
resynchronizing.
B Z #59 8513
The mdadm utility handled the udev incremental rules incorrectly. As a consequence, it
failed to handle incremental assembly of RAID devices built on top of logical multipath
devices and a RAID device configured on top of a multipath device did not assemble during
the boot process. With this update, mdadm handles the udev incremental rules file correctly
and such devices are assembled as expected.
B Z #733153
D ue to unexpected attributes in RAID metadata, the assembly of a RAID device could fail
and the device was not available to the system. With this update, the metadata attributes are
ignored and the RAID device is assembled as expected during boot.
B Z #6 9 5336
The mdadm utility calculated the data disks number during a reshape restart incorrectly
and due to this miscalculation could attempt to divide by 0. As a result, reassembly of a
migrated array could cause a floating point exception. With this update, the underlying
code has been modified and the number of data disks is calculated correctly.
B Z #6 9 4 103
Buffer size used on double-degraded RAID 6 devices was insufficient. As a result, the RAID
recovery failed and mdadm terminated unexpectedly. This happened because the buffer
could not write data back to a stripe size if the recovered stripe was larger than the original
stripe and the buffer overran. With this update, mdadm checks the size of the requested
buffer and allocates a larger buffer for the stripe under these circumstances, and the
recovery of double-degraded RAID 6 completes successfully.
B Z #6 9 4 121
287
If an array was created using the --si ze option with no chunk size specified, the mdadm
utility rounded the default chunk size incorrectly. With this update, the rounding process
has been modified and arrays are created with the correct size alignment.
B Z #6 9 4 779
When expansion or reshape of RAID 0 volume was restarted, mdadm failed to assemble the
array because it failed to restore a critical section of the backup file and exited with the
following message:
mdadm: Failed to restore critical section for reshape - sorry
This happened because during the process, the RAID level for RAID 0 devices is temporarily
changed to RAID 4; however, the Grow_restart() function called on restart did not allow any
RAID level changes. With this update, the level change has been allowed and the problem
no longer occurs.
B Z #6 09 122, B Z #6 6 74 703
The udev scripts did not add encrypted devices to a RAID device because encrypted
devices were ready only after they had been unlocked. As a consequence, a RAID device
created on top of one or more encrypted block devices failed to assemble. With this update,
the underlying code has been changed and the script unlocks encrypted devices and add
them to the respective RAID device as expected.
B Z #706 500
D ue to incorrect internal accounting of disks, the mdadm utility failed to re-add a disk,
which was previously marked as faulty and removed. With this update, the underlying code
has been modified and such disk is re-added as expected.
B Z #727212
The output of the md stat --exami ne command contained incorrect status information.
This happened because the D ELAYED /PEND ING status of a RAID device during resync
was translated to an incorrect status. An upstream patch that fixes this bug has been
applied and the md stat --exami ne command now returns correct status information.
B Z #716 4 13
Version 0.90 arrays have the metadata_version value set to NULL while newer versions set
the metadata to the respective version. When the mdmonitor utility was restarted, it
attempted to dereference the metadata value and terminated with a segmentation fault when
the value was NULL. As a consequence, the RAID device became inaccessible. With this
update, the NULL pointer dereference for metadata_version has been fixed.
B Z #6 9 4 09 2
The mdadm tool did not handle expansion of arrays which were not chunk size aligned.
This happened because mdadm left the array prepared for reshape when the array
expansion returned a message that the new chunk size was not divisible by the component
size, which could prevent the array from being reassembled again later on. This update
applies an upstream patch, which checks the alignment before preparing the array for
expansion. The mdadm tool now rejects expansion of an array with incorrect chunk size
alignment and the array can be reassembled later.
Users are advised to upgrade to this updated mdadm package, which resolves these bugs.
4 .176. mesa
288
4 .176. mesa
4 .176.1. RHBA-2011:1616 — mesa bug fix and enhancement updat e
Updated mesa packages that fix multiple bugs and add various enhancements are now available for
Mesa provides a 3D graphics application programming interface (API) that is compatible with
OpenGL (Open Graphics Library). It also provides hardware-accelerated drivers for many popular
graphics chips.
The mesa packages have been upgraded to upstream version 7.11, which provides a number of bug
Bug Fixe s
B Z #6 774 70
Prior to this update, the OpenGL output was corrupted due to problems with the rendering
in guests. This update modifies the software rendering so that the OpenGL output is no
longer corrupted.
B Z #74 56 86
Prior to this update,the nouveau gallium driver was wrongly included in the mesa-dridrivers package which could lead to conflicts. This update corrects this error and removes
the nouveau gallium driver from the package.
All Mesa users are advised to upgrade to these updated packages, which fix these bugs add these
enhancements.
4 .177. microcode_ct l
4 .177.1. RHEA-2011:1594 — microcode_ct l bug fix and enhancement updat e
An updated microcode_ctl package that fixes a bug and adds various enhancements is now
The microcode_ctl package provides microcode updates for Intel and AMD processors.
Bug Fix
B Z #6 84 009
A previous update introduced a memory leak when loading the updated microcode into
memory prior to conversion of said microcode into a format suitable for the CPU. This
update includes a corrected patch that de-allocates the memory correctly, ensuring memory
does not leak.
Enhance m e nt s
B Z #6 9 6 582
The Intel CPU microcode file has been updated to version 20110915, which is the most
recent version of the microcode available from Intel.
289
B Z #6 826 6 8
The AMD CPU microcode file version 20110111 is now included in the package.
Note that the system must be rebooted in order for these changes to take effect.
Users are advised to upgrade to this updated microcode_ctl package, which fixes this bug and adds
these enhancements.
4 .178. minget t y
4 .178.1. RHBA-2011:1177 — minget t y bug fix updat e
An updated mingetty package that fixes three bugs is now available for Red Hat Enterprise Linux 6.
The mingetty program is a lightweight, minimalist getty program for use only on virtual consoles. The
mingetty program is not suitable for serial lines (the mgetty program should be used in that case).
Bug Fixe s
B Z #6 4 09 33
Prior to this update, when mingetty was invoked with the " --chroot" option, mingetty did not
change the working directory to the new root. Furthermore, mingetty continued even if
setting constraints specified by the " --chroot" , " --chdir" , and " --nice" options failed. As a
result, a user was able to escape from the changed root by using relative paths. Also, it was
possible for a user to obtain a process with a different process priority. These problems
have been resolved in this update so that the working directory is now changed to the new
root directory, all failures are now recognized, and mingetty terminates with an error
reported to the system log.
B Z #6 4 09 4 0
Prior to this update, when invoking mingetty with a TTY name (a non-option position
argument) that was longer than 39 ASCII characters, a buffer overflow occurred and the
mingetty stack content could have become corrupted. This bug has been fixed in this
update so that only the first 39 bytes (34 bytes in case of a relative path) from the TTY name
are now copied.
B Z #6 519 55
Prior to this update, when using a login name longer than 39 characters, such login name
was silently refused and mingetty terminated. With this update, login names with the length
up to the current runtime limit are now accepted; login names that are above the limit are
refused, an error is reported to the system log, and mingetty terminates.
All users of mingetty should upgrade to this updated package, which fixes these bugs.
4 .179. mingw32
4 .179.1. RHEA-2011:1751 — mingw32 enhancement updat e
Updated mingw32 packages that add two enhancements are now available for Red Hat Enterprise
Linux 6.
290
The mingw32 packages provide the MinGW (Minimalistic GNU for Windows) development
environment.
Enhance m e nt s
B Z #722878
The previous version of the mingw32 packages used GCC in version 4.4.3. This
enhancement update upgrades base mingw32 packages and rebuilds all dependent
packages to make sure they are in sync with the latest GCC version (4.4.6) that is available
in Red Hat Enterprise Linux 6.
B Z #719 86 6
In accordance with the latest packaging guidelines, all packages that contain debugging
information now have the " mingw32-" prefix.
All users of mingw32 are advised to upgrade to these updated packages, which add these
enhancements.
4 .180. mingw32-qpid-cpp
4 .180.1. RHBA-2011:174 0 — mingw32-qpid-cpp bug fix and enhancement
updat e
An updated mingw32-qpid-cpp package that fixes several bugs and adds various enhancements is
The mingw32-qpid-cpp package provides a message broker daemon that receives, stores, and
routes messages using runtime libraries for AMQP client applications developed using Qpid C++.
Clients exchange messages with an AMQP message broker using the Advanced Message Queuing
Protocol (AMQP), an open standard application layer protocol.
The mingw32-qpid-cpp package has been upgraded to upstream version 0.12, which provides a
All users of mingw32-qpid-cpp are advised to upgrade to this updated package, which fixes these
4 .181. mksh
4 .181.1. RHBA-2011:0923 — mksh bug fix updat e
An updated mksh package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The mksh package provides the MirBSD version of the Korn Shell, which implements the ksh-88
programming language for both interactive and shell script use.
Bug Fix
B Z #712355
291
Prior to this update, the mksh package did not specify all requirements for RPM scriptlets.
As a result, the requirements were not installed during the post install setup and the
scriptlets were not able to work correctly. With this update, the bug has been fixed, and the
mksh package now specifies the requirements and installs them as expected.
All users of mksh are advised to upgrade to this updated package, which fixes this bug.
4 .182. mod_nss
4 .182.1. RHBA-2011:1656 — mod_nss bug fix updat e
An updated mod_nss package that fixes several bugs is now available for Red Hat Enterprise Linux
6.
The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure
Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security
Services (NSS) security library.
Bug Fixe s
B Z #6 9 1502
When the NSS library was not initialized and mod_nss tried to clear its SSL cache on startup, mod_nss terminated unexpectedly when the NSS library was built with debugging
enabled. With this update, mod_nss does not try to clear the SSL cache in the described
scenario, thus preventing this bug.
B Z #714 154
Previously, a static array containing the arguments for launching the nss_pcache
command was overflowing the size by one. This could lead to a variety of issues including
unexpected termination. This bug has been fixed, and mod_nss now uses properly sized
static array when launching nss_pcache.
B Z #7024 37
Prior to this update, client certificates were only retrieved during the initial SSL handshake if
the NSSVerifyClient option was set to " require" or " optional" . Also, the FakeBasicAuth
option only retrieved Common Name rather than the entire certificate subject. Consequently,
it was possible to spoof an identity using that option. This bug has been fixed, the
FakeBasicAuth option is now prefixed with " /" and is thus compatible with OpenSSL, and
certificates are now retrieved on all subsequent requests beyond the first one.
Users of mod_nss are advised to upgrade to this updated package, which fixes these bugs.
4 .182.2. RHBA-2012:0394 — mod_nss bug fix updat e
An updated mod_nss package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The mod_nss module provides strong cryptography for the Apache HTTP Server via the Secure
Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, using the Network Security
Services (NSS) security library.
Bug Fixe s
B Z #800270, B Z #800271
292
The RHBA-2011:1656 errata advisory released a patch that fixed a problem of mod_nss
crashing when clearing its SSL cache on startup without the NSS library initialized.
However, that patch placed the fix in the improper location in the code, which caused a file
descriptor leak in the Apache httpd daemon. With this update, the necessary fix has been
relocated to the appropriate location in the code so that the problem is fixed and the file
descriptor leak no longer occurs.
All users of mod_nss are advised to upgrade to this updated package, which fixes these bugs.
4 .183. mod_revocat or
4 .183.1. RHBA-2011:1769 — mod_revocat or bug fix updat e
An updated mod_revocator package that fixes multiple bugs is now available for Red Hat Enterprise
Linux 6.
The mod_revocator module retrieves and installs remote Certificate Revocation Lists (CRLs) into an
Apache web server.
Bug Fixe s
B Z #74 8579
Previously, the code for the httpd daemon shutdown was incorrect and the mod_revocator
module did not shut down the httpd daemon when CRL (Certificate Revocation List) update
failed on IA-32 architectures. With this update, the code has been fixed and httpd is now
closed as expected when CRL update fails.
B Z #74 8577
Previously, the code for httpd shutdown was incorrect and the mod_revocator module did
not shut down the httpd daemon when expired CRLs were fetched. With this update, the
code has been fixed and httpd is closed as expected in this scenario.
B Z #74 9 6 9 6
D ue to an incorrect initialization size of a static array, the httpd daemon with
mod_revocator failed to start on 64-bit PowerPC architectures. With this update, the size of
the array has been modified and the httpd starts as expected under these circumstances.
B Z #74 6 36 5
The httpd daemon with the mod_revocator module cannot be used as an HTTP client by
default because the SELinux policy prevents such behavior. However, to acquire CRLs from
a remote host, the httpd daemon needs to behave as an HTTP client to send HTTP
messages to the host. If the behavior was not enabled, child processes of the httpd daemon
terminated unexpectedly with segmentation faults when attempting to connect to a remote
host. With this update, the underlying code has been changed and the segmentation faults
no longer occur.
Note
To change the SELinux policy and enable httpd to request CRLs from a remote host,
execute the " setsebool -P httpd_can_network_connect=1" command as root.
293
All users of mod_revocator are advised to upgrade to this updated package, which fixes these bugs.
4 .184 . module-init -t ools
4 .184 .1. RHBA-2012:0366 — module-init -t ools bug fix and enhancement
updat e
An updated module-init-tools package that fixes two bugs and adds one enhancement is now
The module-init-tools package includes various programs needed for automatic loading and
unloading of modules under 2.6 and later kernels, as well as other module management programs.
D evice drivers and file systems are two examples of loaded and unloaded modules.
Bug Fixe s
B Z #78774 1
Previously, if the " override" keyword was present in the depmod.conf file without any
parameters specified, the depmod utility terminated unexpectedly with a segmentation fault.
A patch has been applied to ensure that the depmod utility no longer crashes and a syntax
warning is displayed instead.
B Z #79 7183
Previously, on low-memory systems (such as low-memory high-performance infrastructure,
or HPC, nodes or virtual machines), depmod could use excessive amount of memory. As a
consequence, the depmod process was killed by the OOM (out of memory) mechanism, and
the system was unable to boot. With this update, the free() function is correctly used on
several places in the code so that so that depmod's memory consumption is reduced.
Enhance m e nt
B Z #78774 8
This update adds the " backports" directory to the search path in the depmod.conf file,
which is necessary to support integration of the compat-wireless package into kernel
packages.
All users of module-init-tools are advised to upgrade to this updated package, which fixes these
bugs and adds this enhancement.
4 .185. mysql
4 .185.1. RHSA-2012:0105 — Import ant : mysql securit y updat e
Updated mysql packages that fix several security issues are now available for Red Hat Enterprise
Linux 6.
MySQL is a multi-user, multi-threaded SQL database server. It consists of the MySQL server daemon
(mysqld) and many client programs and libraries.
294
B u g Fixes
C VE- 2011- 226 2, C VE- 2012- 0075, C VE- 2012- 0087, C VE- 2012- 0101, C VE- 2012- 0102,
C VE- 2012- 0112, C VE- 2012- 0113, C VE- 2012- 0114 , C VE- 2012- 0115, C VE- 2012- 0116 ,
C VE- 2012- 0118, C VE- 2012- 0119 , C VE- 2012- 0120, C VE- 2012- 04 84 , C VE- 2012- 04 85,
C VE- 2012- 04 9 0, C VE- 2012- 04 9 2
This update fixes several vulnerabilities in the MySQL database server. Information about
these flaws can be found on the Oracle Critical Patch Update Advisory page.
These updated packages upgrade MySQL to version 5.1.61. Refer to the MySQL release notes for a
full list of changes:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-x.html
All MySQL users should upgrade to these updated packages, which correct these issues. After
installing this update, the MySQL server daemon (mysqld) will be restarted automatically.
4 .186. naut ilus
4 .186.1. RHBA-2011:1203 — naut ilus bug fix updat e
Updated nautilus packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The Nautilus file manager is a core component of the GNOME desktop project. It allows users to
browse directories on local and remote file systems, preview files and launch applications associated
with them. It is also responsible for handling the icons on the GNOME desktop.
Bug Fixe s
B Z #6 16 774
Previously, the " Volume is busy" dialog was not linked to any window, which led to the
" Untitled window" item appearing on the taskbar when the user unmounted or ejected a
device with one or more files opened. This update sets the dialog temporarily for the
desktop window which automatically removes the taskbar item.
B Z #6 36 881
Previously, an incorrect signal was emitted when the user changed the name of a bookmark
created in Nautilus. As a consequence, the changes got lost and the new name was not
written into the bookmark file. This has been fixed: the correct signal is now emitted and the
bookmarks can be properly updated.
B Z #6 526 07
Previously, Nautilus could close unexpectedly with a segmentation fault due to a race
condition if the user selected a file that was already deleted but was still displayed in the
window. This has been fixed and Nautilus does not terminate unexpectedly any longer.
B Z #6 54 09 1
Previously, the GNOME Configuration (GConf) schemas were missing. As a consequence,
the position and size of the folder windows were lost once the user closed the window. The
missing GConf schemas have been added and the position and size of the folder windows
are now saved and restored correctly.
B Z #6 6 1589
295
Prior to this update, Nautilus did not reflect the changes made to the locations of the XD G
(Base D irectory Specification) file system directories and used the old locations instead. As
a consequence, files created on the desktop may have disappeared if the user logged on
used a different user interface language. This problem has been fixed: the desktop is now
refreshed with every change of the XD G directories.
B Z #6 6 6 086
Previously, Nautilus could have become suspended when the user copied files from an FTP
server. This was caused by an error in the GVFS (GNOME virtual file system) client dbus
code which prevented recursive synchronous calls. This has been fixed and Nautilus no
longer becomes suspended during the file transfers.
B Z #6 9 014 7
Prior to this update, Nautilus did not refresh the folder buttons in the path bar when deleting
the linked directories. When clicking on the folder icon in the path bar, an error message
appeared. Now, folder buttons in the path bar are automatically removed when deleting the
linked directory.
All users of nautilus are advised to upgrade to these updated packages, which fix these bugs.
4 .187. naut ilus-open-t erminal
4 .187.1. RHBA-2011:1205 — naut ilus-open-t erminal bug fix updat e
An updated nautilus-open-terminal package that fixes various bugs is now available for Red Hat
Enterprise Linux 6.
The nautilus-open-terminal extension provides the right-click " Open Terminal" option for Nautilus.
This updated nautilus-open-terminal package includes fixes for the following bugs:
B Z #6 30236
This update adds the untranslated string which was missing in the Japanese translation of
the graphical user interface.
B Z #6 4 04 9 6
Previously, the terminal failed to start if the user used a shell other than bash. The problem
was caused by incorrect invocation parameters, which have been fixed and the terminal
now launches properly.
B Z #716 39 8
Previously, nothing happened if there was no terminal application installed and the user
right-clicked on the desktop and selected " Open Terminal" . With this update, the gnometerminal package has been set as a hard dependency to guarantee at least one terminal
application is available.
All users of nautilus-open-terminal are advised to upgrade to this updated package, which resolves
these bugs.
4 .188. ncompress
296
4 .188.1. RHBA-2012:004 3 — ncompress bug fix updat e
An updated ncompress package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The ncompress package contains the compress and uncompress file compression and
decompression utilities, which are compatible with the original UNIX compress utility (.Z file
extensions).
Bug Fix
B Z #7819 73
The ncompress utility previously relied on the glibc implementation of the memcpy()
function. A recent glibc update optimized memcpy(), which resulted in data corruption in
ncompress file compression and decompression. This update replaces memcpy() with the
memmove() function and ncompress now works as expected.
All users of ncompress are advised to upgrade to this updated package, which fixes this bug.
4 .189. net -snmp
4 .189.1. RHBA-2011:1524 — net -snmp bug fix updat e
Updated net-snmp packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The net-snmp packages provide various libraries and tools for the Simple Network Management
Protocol (SNMP), including an SNMP library, an extensible agent, tools for requesting or setting
information from SNMP agents, tools for generating and handling SNMP traps, a version of the
netstat command which uses SNMP, and a Tk/Perl management information base (MIB) browser.
B u g Fixes
B Z #6 78314
The previous version of snmptrapd , the Net-SNMP daemon for processing traps, leaked
memory when processing incoming SNMP traps in embedded Perl. This caused the amount
of consumed memory to grow over time, making the memory consumption even larger if the
daemon was processing SNMPv1 traps. With this update, the underlying source code has
been adapted to prevent such memory leaks, and processing incoming SNMP traps in
embedded Perl no longer increases the memory consumption.
B Z #6 819 4 9
On 64-bit systems, the previous version of snmpd , the Net-SNMP agent, gathered the disk
IO and CPU usage statistics for UC D -SNMP : : systemStats as 64-bit. However, relevant
MIB describes these statistics as 32-bit and as a consequence, snmpd wrote the following
message to the system log when processing the 64-bit values:
truncating integer value > 32 bits
This update adapts snmpd to collect values for UC D -SNMP : : systemStats as 32-bit
integers so that it no longer reports the aforementioned message to syslog.
B Z #6 8356 3
The previous version of the snmpd daemon did not detect errors when accessing the /pro c
297
file system. Consequent to this, an attempt to read information about an exited process
while gathering information for a HO ST -R ESO UR C ES-MIB: : hrSWR unT abl e table caused
the daemon to terminate unexpectedly with a segmentation fault. This update adapts the
underlying source code to make sure that such errors are now properly detected, and
snmpd no longer crashes when populating HO ST -R ESO UR C ES-MIB: : hrSWR unT abl e.
B Z #6 836 80
Prior to this update, the snmpd daemon reported HO ST -R ESO UR C ESMIB: : hrSystemD ate with an incorrect sign in the timezone offset. This update applies a
patch to make sure the timezone offset is properly recalculated and the value reported by
snmpd is now correct.
B Z #70216 5
Previously, the snmpd daemon tracked all network interfaces that were present on the
system while it was running, including interfaces that were removed from the system during
this time. Consequent to this, when an interface which had been removed was reinstantiated with the same name but with a different interface index, snmpd reported both
interfaces separately in IF-MIB: : i fT abl e. This typically happened to Point-to-Point
Protocol (PPP) interfaces. This update adds two new options, i nterface_fad eo ut and
i nterface_repl ace_o l d , to the /etc/snmpd /snmpd . co nf configuration file, which
allows system administrators to control the behavior of snmpd when two interfaces with the
same name but a different interface index are detected. Refer to the sn mp d .co n f (5) manual
page for details.
B Z #702171
When running on a system with two network interfaces with the same IP address, the
previous version of the snmpd daemon silently ignored the second interface while
populating IP -MIB: : i pAd d ressT abl e. With this update, snmpd has been adapted to
add a message that the second interface is being ignored to the system log in this scenario.
This allows system administrators to determine why the second interface is missing from
IP -MIB: : i pAd d ressT abl e.
B Z #7036 82
The previous version of the snmpd daemon ignored SIG C HLD signals from processes that
were spawned as a result of the pass_persi st configuration option. However, this led to
unnecessary defunct processes on the system. With this update, the snmpd daemon has
been adapted to correctly process the SIG C HLD signals so that such defunct processes
are no longer created.
B Z #7079 12
Prior this update, the snmpd daemon incorrectly ignored XFS file systems when populating
HO ST -R ESO UR C ES-MIB: : hrFST abl e. This update adds support for the XFS file system
to HO ST -R ESO UR C ES-MIB: : hrFST abl e so that snmpd no longer omits such file systems
from the report.
B Z #708370
In previous versions of net-snmp, the snmpd daemon did not distinguish between outgoing
SMUX messages and always incremented their R eq uest-ID , even when multiple SMUX
messages were sent as a result of one incoming SNMP request with multiple variables.
However, RFC 1227 requires that such SMUX messages should have the same R eq uestID . With this update, snmpd properly recognizes multiple outgoing SMUX messages that
are the result of one incoming SNMP request and assigns them the same R eq uest-ID .
298
B Z #7089 4 7
When the system ran out of memory while populating IP MIB: : i pNetT o P hysi cal T abl e, the previous version of the snmpd daemon did not
properly recover and may have terminated unexpectedly as a consequence. This update
adapts the underlying source code to detect that the system is running out of memory, and
snmpd no longer crashes in this situation.
B Z #7106 6 7
Prior to this update, the netsnmp module for the Pyt h o n programming language did not
properly initialize an SNMP session with SNMPv3 authentication. Consequent to this, and
attempt to use such a session caused Python to terminate unexpectedly with a
segmentation fault. This update ensures that SNMP sessions with SNMPv3 authentication
are now initialized properly and can be used in Python modules as expected.
B Z #7114 81
The previous version of the netsnmp Python module did not properly parse OID names
that included an MIB name (such as IF-MIB: : i fT abl e). With this update, the regular
expression for parsing OID names has been corrected and the aforementioned Python
module now parses such names properly.
B Z #720704
Previously, the snmpd daemon did not verify the result of reading from a network socket in
the SMUX module. Consequent to this, snmpd may have been unable to close erroneous
SMUX sessions, because it failed to detect some network errors. With this update, the
snmpd daemon has been adapted to properly detect errors when reading from a SMUX
socket so that it can now react to these errors properly.
B Z #729 738
When an Ag entX subagent was being disconnected from the snmpd daemon, the daemon
did not properly detach all outstanding SNMP requests from the internal session object
representing this agent. As a consequence, snmpd could terminate unexpectedly while
processing these requests. With this update, the snmpd daemon ensures that outstanding
SNMP requests do not point to an AgentX session that is closed.
B Z #7256 57
When a binary is built with the R ELR O flag, the ELF sections are reordered to include
internal data sections before program's data sections, and the Global Offset Table (GOT)
address section of the resulting ELF file is mapped read-only. This ensures that any attempt
to overwrite the GOT entry and gain control over the execution flow of a program fails with
an error. For this reason, the Net-SNMP daemons, binaries, and shared libraries are now
built with full R ELR O protection.
All users of net-snmp are advised to upgrade to these updated packages, which fix these bugs.
Updated net-snmp packages that fix one bug are now available for Red Hat Enterprise Linux 6.
netstat command which uses SNMP, and a Tk/Perl Management Information Base (MIB) browser.
299
Bug Fix
B Z #75376 6
The SNMP daemon (snmpd) did not properly fill a set of watched socket file descriptors.
Therefore, the daemon sometimes terminated unexpectedly with the " select: bad file
descriptor" error message when more than 32 AgentX subagents connected to snmpd on
32-bit platforms or more than 64 subagents on 64-bit platforms. With this update, snmpd
properly clears sets of watched file descriptors and thus it no longer crashes when
handling a large number of subagents.
All users of net-snmp are advised to upgrade to these updated packages, which fix this bug.
Updated net-snmp packages that fix one bug are now available for Red Hat Enterprise Linux 6
B u g Fix
B Z #1002858
When an AgentX subagent disconnected from the SNMP daemon (snmpd), the daemon did
not properly check that there were no active requests queued in the subagent and
destroyed the session. Consequently, the session was referenced by snmpd later when
processing queued requests and because it was already destroyed, snmpd terminated
unexpectedly with a segmentation fault or looped indefinitely. This update adds several
checks to prevent the destruction of sessions with active requests, and snmpd no longer
crashes in the described scenario.
Users of net-snmp are advised to upgrade to these updated packages, which fix this bug.
4 .189.4 . RHBA-2013:0819 — net -snmp bug fix updat e
B u g Fix
B Z #9 56 287
Previously, snmpd erroneously checked the length of " SNMP-TARGETMIB::snmpTargetAddrRowStatus" value in incoming " SNMP-SET" requests on 64-bit
platforms. Consequently, snmpd sent an incorrect reply to the " SNMP-SET" request. With
this update, the check of " SNMP-TARGET-MIB::snmpTargetAddrRowStatus" is fixed and it
is possible to set it remotely using " SNMP-SET" messages.
300
B u g Fix
B Z #9 86 19 1
In previous Net-SNMP releases, snmpd reported an invalid speed of network interfaces in
IF-MIB::ifTable and IF-MIB::ifXTable if the interface had a speed other than 10, 100, 1000 or
2500 MB/s. Thus, the net-snmp ifHighSpeed value returned was " 0" compared to the
correct speed as reported in ethtool, if the Virtual Connect speed was set to, for example, 0.9
Gb/s. With this update, the ifHighSpeed value returns the correct speed as reported in
ethtool, and snmpd correctly reports non-standard network interface speeds.
4 .190. net -t ools
4 .190.1. RHBA-2011:1596 — net -t ools bug fix updat e
An updated net-tools package that fixes various bugs is now available for Red Hat Enterprise Linux
6.
The net-tools package contains basic networking tools, including ifconfig, netstat, route, and others.
Bug Fixe s
B Z #705110
Prior to this update, the " hostname -i" command failed to display related network addresses
when the hostname was not included in the /etc/hosts file. The " hostname -f" command had
the same issue with Fully Qualified D omain Names (FQD Ns). To fix this issue, new " --allfqdns" (or " -A" ) and " --all-ip-addresses" (or " -I" ) options have been implemented for the
hostname command. These options are independent on the /etc/hosts content. The
" hostname -I" command now displays all network addresses for all configured network
interfaces, and the " hostname -A" command displays all FQD Ns for all configured network
interfaces of the host.
B Z #72534 8
The " netstat -p" command output incorrectly displayed a number in the PID /Program name
column instead of the program name. The code has been modified to fix this issue, and
netstat now shows the correct program name in this column.
B Z #7329 84
The netstat utility truncated IPv6 UD P sockets when the " --notrim" (or " -T" ) option was
specified. This update fixes the issue, and whole IPv6 addresses are now displayed for
301
specified. This update fixes the issue, and whole IPv6 addresses are now displayed for
UD P sockets when using netstat with this option.
B Z #6 80837
The route(8) manual page now includes an explicit description of the " mss M" option.
B Z #6 9 4 76 6
The SYNOPSIS section of the plipconfig(8) manual page and the usage output of the
plipconfig command have been modified to show correct plipconfig options.
All users of net-tools are advised to upgrade to this updated package, which resolves these issues.
4 .190.2. RHBA-2012:0555 — net -t ools bug fix updat e
Updated net-tools packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The net-tools packages contain basic networking tools. including hostname, ifconfig, netstat, or
route.
Bug Fix
B Z #816 375
Running the " hostname" command with the " -A, --all-fqdns" or " -I, --all-ip-addresses"
option to display all Fully Qualified D omain Names (FQD Ns) or network addresses of the
host failed with the " Hostname lookup failure" error if the machine's host name was not
resolved in D NS. With this update, these options are no longer dependent on name
resolution; all FQD Ns and network addresses of the host are now displayed as expected
even if the host name cannot be resolved or is not included in the /etc/hosts file.
All users of net-tools are advised to upgrade to these updated packages, which fix this bug.
4 .191. net cf
4 .191.1. RHBA-2011:1631 — net cf bug fix and enhancement updat e
Updated netcf packages that fix multiple bugs and add various enhancements are now available for
The netcf packages contain a library for modifying the network configuration of a system. Network
configuration is expressed in a platform-independent XML format, which netcf translates into
changes to the system's " native" network configuration files.
The netcf packages have been upgraded to upstream version 0.1.9, which provides a number of bug
fixes and enhancements over the previous version.
Bug Fix
B Z #713286
Prior to this update, certain interfaces associated configuration files in the
/etc/sysconfig/network-scripts/ directory, but no corresponding device in the kernel. As a
result, netcf returned an error status every time it was asked for the current status of an
interface it was unable to find in the kernel, so management applications collected a large
302
number of error log messages. With this update, failures to find an interface in the kernel are
now ignored.
Enhance m e nt s
B Z #6 16 06 0
In this update, netcf has been modified to capture the stdout and stderr output of ifup and
ifdown, and, in the case of an error, forward that information back to the management
application, which used netcf to start or stop an interface. This makes it easier to
troubleshoot problems.
B Z #7084 76
Changes made to a host's network configuration by netcf (via netcf's API, or the ncftool
commands) immediately and permanently modify the host's configuration files (in
/etc/sysconfig/network-scripts/ifcfg-*). With this update, new API/virsh commands have been
added to enable saving the current state of network configuration before any changes are
made, and easily reverting to that configuration if any problems are encountered.
All users are advised to updated to these updated packages, which fix these bugs and add these
enhancements.
4 .192. Net workManager
4 .192.1. RHBA-2012:1112 — Net workManager bug fix updat e
Updated NetworkManager packages that fix a bug are now available for Red Hat Enterprise Linux 6
NetworkManager is a system network service that manages network devices and connections,
attempting to keep active network connectivity when available. It manages Ethernet, wireless, mobile
broadband (WWAN), and PPPoE (Point-to-Point Protocol over Ethernet) devices, and provides VPN
integration with a variety of different VPN services.
B u g Fix
B Z #822271
When an existing D HCP lease was renewed, NetworkManager did not recognize it as a
change in D HCP state and failed to run the dispatcher scripts. Consequently, hostnames
were purged from D HCP records. With this update the code has been improved and
NetworkManager now handles same-state transitions correctly. Now, hostnames are not
purged from the D HCP server when a lease is renewed.
Users of NetworkManager are advised to upgrade to these updated packages, which fix this bug.
4 .192.2. RHBA-2011:1632 — Net workManager bug fix and enhancement updat e
Updated NetworkManager packages that fix multiple bugs and add various enhancements are now
NetworkManager is a system network service that manages network devices and connections,
attempting to keep active network connectivity when available. It manages Ethernet, wireless, mobile
broadband (WWAN), and PPPoE devices, and provides VPN integration with a variety of different
VPN services.
303
Bug Fixe s
B Z #6 6 06 6 6
NetworkManager did not recognize IBM CTC (Channel-to-Channel) devices, which made it
impossible to install Red Hat Enterprise Linux on IBM S/390 machines which used CTC
devices. NetworkManager now detects these devices properly, with the result that Red Hat
Enterprise Linux can be installed on such machines.
B Z #6 9 6 585
When connecting to a WLAN, pressing the Enter key in NetworkManager's dialog box had
no effect and the dialog box remained open. However, the WLAN connection could be
established by clicking the Connect button with the mouse. This happened because the
Connect button was not defined as default action on confirmation in the code. With this
update, the Connect button was marked as default and NetworkManager now launches the
WLAN connection under these circumstances.
B Z #6 9 6 9 16
D ue to a memory access error, the connection profile configured in NetworkManager was
not stored if an IPv6 address and an IPv6 gateway were specified. The code has been
modified to prevent this issue and connection profiles are now stored correctly.
B Z #706 338
D ue to a timing issue in the libnm-glib library, NetworkManager produced a D -Bus error
when a network driver was unloaded from the kernel. This error message was only for
informational purposes and therefore did not need to appear in syslog messages. The
message has been suppressed in the libnm-glib code, and the error message no longer
occurs in any of the system logs.
B Z #74 706 6
NetworkManager did not specify the initial frequency of an ad hoc wireless network when
the frequency was not set by the user. If the network frequency was not set when
authenticating with wpa_supplicant using the nl80211 supplicant driver, the connection
attempt failed. NetworkManager has been modified to set a frequency that is supported by
used network device if it is not specified by the user. Users can now connect to ad hoc
wireless networks without problems in the scenario described.
B Z #6 59 6 85
The RHSA-2010-0616 security advisory for the dbus-glib library introduced changes
restricting access to D -Bus properties. Therefore under certain circumstances,
NetworkManager failed to display the login banner when a user connected to a VPN.
NetworkManager has been modified to respect dbus-glib limitations, and the login banner
is now displayed correctly.
B Z #74 3555
The implementation of the wpa_supplicant application has recently been changed to use
the nl80211 supplicant driver instead the WEXT wireless extension. Both methods use a
different approach to show the level of a wireless network signal. This difference was not
reflected in NetworkManager's code, therefore the signal level was shown incorrectly.
NetworkManager has been modified to handle this feature correctly when using nl80211,
and the signal level is now displayed correctly.
Enhance m e nt s
304
B Z #59 009 6
NetworkManager did not send the system hostname to a D HCP server unless it was
explicitly configured with a configuration file. NetworkManager now sends the hostname to
the D HCP server by default.
B Z #713283
Roaming in RSA token-enabled enterprise Wi-Fi networks did not work properly, which
resulted in the wpa_supplicant component upgrade to version 0.7.3. This update required
new features to be implemented in NetworkManager. NetworkManager now includes the
background scanning feature for the wpa_supplicant component and uses the nl80211
supplicant driver when adding a supplicant interface.
All users of NetworkManager are advised to upgrade to these updated packages, which fix these
4 .193. Net workManager-openswan
4 .193.1. RHBA-2011:1771 — Net workManager-openswan bug fix updat e
An updated NetworkManager-openswan package that fixes various bug is now available for Red Hat
Enterprise Linux 6.
NetworkManager-openswan contains software for integrating the Openswan VPN software with
NetworkManager and the GNOME desktop.
B u g Fixes
B Z #6 84 809
When an openswan VPN is established, the NetworkManager applet did not display any
notification (login banner) and the error message, " Error getting 'Banner'" , was logged.
With this update, NetworkManager now displays the connection establishment notification
as a tooltip for the NetworkManager icon.
B Z #702323
Prior to this update, networkmanager-openswan did not provide an export feature. D ue to
this, it was not possible to save the configuration settings in a file. This update adds this
feature and now it is possible to export configuration settings to a file.
B Z #70589 0
Prior to this update, NetworkManager could not properly track the status of an openswan
VPN. Consequently, when an openswan VPN was disconnected, NetworkManager did not
remove the VPN padlock icon. This update fixes this issue and now the VPN padlock icon
is removed after an openswan VPN connection is terminated.
All users of NetworkManager-openswan are advised to upgrade to this updated package, which fixes
these bugs.
4 .194 . newt
4 .194 .1. RHEA-2011:1207 — newt enhancement updat e
305
Updated newt packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
Newt is a programming library for color text mode, widget-based user interfaces. Newt can be used to
add stacked windows, entry widgets, check boxes, radio buttons, labels, plain text fields, and so on,
to text mode user interfaces.
Enhance m e nt
B Z #707704
Prior to this update, it was not possible to set a color of individual labels, scrollbars,
entries, textboxes, and scales. With this update, setting a color of the aforementioned GUI
elements is now possible.
All users of newt are advised to upgrade to these updated packages, which add this enhancement.
4 .195. nfs-ut ils
4 .195.1. RHSA-2011:1534 — Low: nfs-ut ils securit y, bug fix, and enhancement
updat e
Updated nfs-utils packages that fix two security issues, various bugs, and add one enhancement are
Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available
for each vulnerability from the CVE links associated with each description below.
The nfs-utils package provides a daemon for the kernel Network File System (NFS) server, and related
tools such as the mount.nfs, umount.nfs, and showmount programs.
Secu rit y Fixes
C VE- 2011- 2500
A flaw was found in the way nfs-utils performed IP based authentication of mount requests.
In configurations where a directory was exported to a group of systems using a D NS
wildcard or NIS (Network Information Service) netgroup, an attacker could possibly gain
access to other directories exported to a specific host or subnet, bypassing intended
access restrictions.
C VE- 2011- 174 9
It was found that the mount.nfs tool did not handle certain errors correctly when updating
the mtab (mounted file systems table) file. A local attacker could use this flaw to corrupt the
mtab file.
B u g Fixes
B Z #702273
The function responsible for parsing the /proc/mounts file was not able to handle single
quote characters (') in the path name of a mount point entry if the path name contained
whitespaces. As a consequence, an NFS-exported file system with such a mount point
could not be unmounted. The parsing routine has been modified to parse the entries in the
/proc/mounts file properly. All NFS file systems can be now unmounted as expected.
306
B Z #74 4 6 57
On an IPv6-ready network, an NFS share could be mounted on the same location twice if
one mount failed over from IPv6 to IPv4. This update prevents the failover to IPv4 under
such circumstances.
B Z #7326 73
Prior to this update, NFS IPv6 unmounting failed. This happened because the umount
command failed to find the respective mount address in the /proc/mounts file as it was
expecting the mount address to be in brackets; however, the mount command saves the
addresses without brackets. With this update, the brackets are stripped during the unmount
process and the unmount process succeeds.
B Z #723780
Prior to this update, the system returned a misleading error message when an NFS mount
failed due to TCP Wrappers constrictions on the server. With this update, the system returns
the " mount.nfs: access denied by server while mounting" error message.
B Z #7234 38
The showmount command caused the rpc.mountd daemon to terminate unexpectedly with a
segmentation fault. This happened because showmount requested a list of clients that have
performed an NFS mount recently from the mount link list with an RPC (Remote Procedure
Call) message sent to the daemon. However, the mount link list was not initialized correctly.
With this update, the mount link list is initialized correctly and the problem no longer
occurs.
B Z #7316 9 3
Mounting failed if no NFS version (" nfsvers" ) was defined. Also, the system returned no
error message when the NFS version was specified incorrectly. With this update, the system
returns the following error in such cases: " mount.nfs: invalid mount option was specified."
B Z #726 112
The " showmount -e" command returned only the first client that imported a directory. This
occurred due to an incorrect filtering of group names of clients. This bug has been fixed
and the command returns all hosts, which import the directory.
B Z #6 9 7359
The nfs-utils manual pages did not contain description of the " -n" command-line option.
This update adds the information to the rpc.svcgssd(8) man page.
B Z #7204 79
D ue to an incorrect library order at link time, building nfs-utils from the source package
resulted in a non-functional rpc.svcgssd daemon. This update reorders libgssglue in the
spec file and the daemon works as expected in this scenario.
B Z #74 74 00
Prior to this update, the rpcdebug tool run with the " pnfs" flag failed over to " nfs" . This
update adds the pNFS and FSCache debugging option and the problem no longer occurs.
B Z #729 001
The debuginfo file for the rpcdebug binary was missing in the debuginfo package because
307
the spec file defined the installation of the rpcdebug tool with the " -s" parameter. The
parameter caused the binary to be stripped of debugging information on installation. With
this update, the spec file was modified and the debuginfo file is now available in the
debuginfo package.
B Z #6 9 2702
The rpc.idmapd daemon occasionally failed to start because the /var/lib/nfs/rpc_pipefs/
directory was not mounted on the daemon startup. With this update, the startup script
checks if the directory is mounted.
En h an cemen t
B Z #715078
This update adds details about exports to specific IPv6 addresses or subnets to the
exports(5) manual page.
Users of nfs-utils are advised to upgrade to these updated packages, which contain backported
patches to resolve these issues and add this enhancement. After installing this update, the nfs
service will be restarted automatically.
4 .195.2. RHBA-2012:0673 — nfs-ut ils bug fix updat e
Updated nfs-utils packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The nfs-utils packages provide a daemon for the kernel Network File System (NFS) server and related
tools, which provides better performance than the traditional Linux NFS server used by most users.
These packages also contain the mount.nfs, umount.nfs, and showmount programs.
Bug Fix
B Z #8124 50
Previously, the nfsd daemon was started before the mountd daemon. However, nfsd uses
mountd to validate file handles. Therefore, if an existing NFS client sent requests to the NFS
server when nfsd was started, the client received the ESTALE error causing client
applications to fail. This update changes the startup order of the daemons: the mountd
daemon is now started first so that it can be correctly used by nfsd, and the client no longer
receives the ESTALE error in this scenario.
All users of nfs-utils are advised to upgrade to these updated packages, which fix this bug.
4 .196. nfs-ut ils-lib
4 .196.1. RHBA-2011:1750 — nfs-ut ils-lib bug fix updat e
Updated nfs-utils-lib packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The nfs-utils-lib packages contain support libraries required by programs in the nfs-utils package.
Bug Fix
B Z #711210
308
Prior to this update, libnfsidmap did not support ldap. With this update, nfs-utils-lib
provides ldap support.
All users of nfs-utils-lib are advised to upgrade to these updated packages, which fix this bug.
4 .197. nmap
4 .197.1. RHBA-2011:0967 — nmap bug fix updat e
An updated nmap package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The nmap package provides a network exploration utility and a security scanner.
Bug Fix
B Z #6 2104 5
Prior to this update, the output of the " nmap -h" (or " nmap --help" ) command did not
describe all the available nmap options that begin with the " -s" or " -P" prefix. As a result, a
user could have been unable to research what options can be used to perform specific
tasks with nmap. With this update, the bug has been fixed so that the output of " nmap -h"
now describes all the aforementioned nmap options that were previously missing from the
output.
All users of nmap are advised to upgrade to this updated package, which fixes this bug.
4 .198. nspr, nss, nss-soft okn, and nss-ut il
4 .198.1. RHBA-2011:1584 — nspr, nss, nss-soft okn, and nss-ut il bug fix and
enhancement updat e
Updated nspr and nss related packages that fix several bugs and add various enhancements are
Netscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system
facilities. These facilities include threads, thread synchronization, normal file and network I/O,
interval timing, calendar time, basic memory management (the malloc() and free() functions), and
shared library linking.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform
development of security-enabled client and server applications. Applications built with NSS can
support SSLv2, SSLv3, TLS, and other security standards.
The nss component has been upgraded to upstream version 3.12.10, which provides a number of
bug fixes and enhancements. (BZ #712958)
The nss-util package has been upgraded to upstream version 3.12.10, which provides a number of
bug fixes and enhancements.(BZ #712960)
The nspr component has been upgraded to upstream version 4.8.8, which provides a number of bug
fixes and enhancements. (BZ #712963)
Bug Fixe s
B Z #6 6 8882
309
The CMS message decoder lost the pointer to enveloped data when decoding a message
encoded with CMS (Cryptographic Message Syntax) that contained enveloped data.
Consequently, the decoder got into an infinite loop and decoding terminated due to a stack
overflow. With this update, the underlying code has been modified and the problem no
longer occurs.
B Z #6 7126 6
The CMS routines failed to verify signed data when the SignerInfo object was using a
subjectKeyID extension to indicate the signer and returned the following output:
signer 0 status = SigningCertNotFound cmsutil: problem decoding:
Unrecognized Object Identifier.
With this update, the subjectKeyID entries have been added to a temporary in-memory map
of subjectKeyID values of certificates and the verification of such data now succeeds.
B Z #6 9 5018
When running debug builds, the pem module occasionally terminated with a segmentation
fault when attempting to write to its log file due to insufficient permissions. This happened
when the module was initially used by an application with superuser privileges, which
created the log file, and subsequently by an application with non-superuser privileges as
the application could not access the logging file due to lower privileges.
B Z #7036 58
When using the generateCRMFRequest tool to produce an RSA key larger than 2048, the
process failed. This occurred because the crmf library used by generateCRMFRequest had
the value for the maximum size for wrapped private keys (the MAX_WRAPPED _KEY_LEN
property) hardcoded to 2048 bytes. The size is now adjusted based on the provided key
attributes and the problem no longer occurs.
B Z #71029 8
On a 64-bit CPU with native AES instruction support, the intel_aes_decrypt_cbc_256()
function did not work correctly when input and output buffers were the same and the
function call failed with the message " data mismatch" . This update fixes the code and the
same buffer can be used for input and output.
B Z #74 7053
The health tests for deterministic random bit generator (D RBG) have been updated to better
meet FIPS requirements.
B Z #74 7387
On NSS initialization, the module loader incorrectly initialized the PKCS#11 module even if
the module was not adding any persistent certificate or module databases. Consequently,
an attempt to synchronize usernames and passwords on an IPA server with data on an
Active D irectory server failed with the error " {'desc': " Can't contact LD AP server" }" . The NSS
module loader now checks the relevant flags and the problem no longer occurs.
Enhance m e nt s
B Z #6 884 23
NSS supports pluggable ECC (Error-Correcting Code) memory.
310
B Z #724 001, B Z #724 002, B Z #724 003, B Z #724 004
The nss-softokn, nss-util, nss, and nspr libraries have been built with partial RELRO
support (-Wl,-z,relro).
Users are advised to upgrade to these updated nspr and nss related packages, which fix the bugs
and add the enhancements.
4 .199. nss
4 .199.1. RHBA-2011:1838 — nss bug fix updat e
Updated nss packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Network Security Services (NSS) is a set of libraries designed to support the cross-platform
development of security-enabled client and server applications.
Bug Fix
B Z #76 6 056
Recent changes to NSS re-introduced a problem where applications could not use multiple
SSL client certificates in the same process. Therefore, any attempt to run commands that
worked with multiple SSL client certificates, such as the " yum repolist" command, resulted in
a re-negotiation handshake failure. With this update, a revised patch correcting this
problem has been applied to NSS, and using multiple SSL client certificates in the same
process is now possible again.
All users of nss are advised to upgrade to these updated packages, which fix this bug.
4 .200. nss-pam-ldapd
4 .200.1. RHBA-2011:1705 — nss-pam-ldapd bug fix and enhancement updat e
An updated nss-pam-ldapd package that fixes multiple bugs and adds one enhancement is now
[Updated 24 January 2012] This advisory has been updated with the correct package description in
the D etails section. The package included in this revised update has not been changed in any way
from the package included in the original advisory.
The nss-pam-ldapd package provides the nss-pam-ldapd daemon (nslcd) which uses a directory
server to look up name service information on behalf of a lightweight nsswitch module.
Bug Fixe s
B Z #706 4 54
When the nss-pam-ldapd package was installed, settings for the nslcd daemon were
migrated from the configuration files used by the pam_ldap module or a previouslyinstalled copy of the nss_ldap package. If the nslcd configuration file was modified, settings
would be migrated again, often with an error. With this update, the migration is performed
only if the package has not been previously installed.
B Z #706 86 0
311
Prior to this update, when the nslcd daemon retrieved information about a user or group,
the name of the user or group would be checked against the value of the " validnames"
configuration setting. The default value of the setting expected the names to be at least
three characters long, therefore names which were only two characters long were flagged
as invalid. This could have negative impact on some installations. With this update, the
default value of the " validnames" setting is modified to a minimum of two characters so that
short names are accepted.
B Z #716 822, B Z #720230
D ue to the buffer used for the group field of a user password entry being not big enough,
the primary group ID of a user could not be parsed if it contained more than nine digits. As
a consequence, the nslcd daemon could drop some of the digits. With this update, nslcd is
modified to parse large user ID s properly.
B Z #74 136 2
An incorrect use of the strtol() call could cause large user ID values to overflow on 32-bit
architectures. New functions have been implemented with this update, so that large user ID s
are parsed correctly.
Enhance m e nt
B Z #730309
Previously, if " D NS" was specified as the value of the LD AP " uri" setting in the
/etc/nslcd.conf file, the nslcd service would attempt to look up D NS SRV records for the
LD AP server (in order to determine which directory server to contact) only in the local host's
current D NS domain. As a consequence, nslcd could not search for an LD AP server in a
different domain. With this update, the D NS domain which is used in the lookup can now be
specified by providing a value in the form " D NS:domainname" .
All users of nss-pam-ldapd are advised to upgrade to this updated package, which fixes these bugs
and adds this enhancement.
4 .200.2. RHBA-2012:0055 — nss-pam-ldapd bug fix updat e
An updated nss-pam-ldapd package that fixes one bug is now available for Red Hat Enterprise Linux
6.
The nss-pam-ldapd provides the nss-pam-ldapd daemon (nslcd) which uses a directory server to
look up name service information on behalf of a lightweight nsswitch module.
Bug Fix
B Z #771322
Previously, the nslcd daemon performed the idle time expiration check for the LD AP
connection before starting an LD AP search operation. On a lossy network or if the LD AP
server was under a heavy load, a connection could time out after a successful check and
the search operation then failed. With this update, the idle time expiration test is now
performed during the LD AP search operation so that the connection now no longer expires
under these circumstances.
All users of nss-pam-ldapd are advised to upgrade to this updated package, which fixes this bug.
4 .201. nss_db
312
4 .201. nss_db
4 .201.1. RHBA-2012:034 6 — nss_db bug fix updat e
An updated nss_db package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The nss_db package contains a set of C library extensions, such as the Name Service Switch
(nsswitch) module, which allow Berkeley D atabases to be used as a primary source of aliases,
groups, hosts, networks, protocols, users, services, or shadow passwords instead of, or in addition
to, using flat files or the Network Information Service (NIS).
Bug Fix
B Z #7886 6 8
The previous update of nss_db attempted to fix a bug, which under certain circumstances
prevented multi-threaded applications from obtaining complete lists of user's supplemental
group memberships. This problem was not completely fixed due to an internal error that
occurred when using an insufficiently large temporary buffer to parse a group entry with a
large list of users. This update resolves the issue by resetting the buffer's contents after the
buffer has been resized. Large group lists are thus correctly parsed and the entire list of
user's supplemental groups is now correctly listed in this scenario.
All users of nss_db are advised to upgrade to this updated package, which fixes this bug.
4 .202. omping
4 .202.1. RHEA-2011:1576 — omping bug fix and enhancement updat e
An updated omping package that fixes several bugs and adds various enhancements is now
available as a Technology Preview for Red Hat Enterprise Linux 6.
Open Multicast Ping (omping) is a tool for testing IP multicast functionality, primarily on a LAN (local
area network). It allows users to test multicast and receive sufficient information to detect whether a
potential problem exists in the network configuration, or lies elsewhere, as might be the case with a
bug.
The omping package has been upgraded to upstream version 0.0.4, which provides a number of bug
fixes and the following enhancements:
support for Source Specific Multicast (SSM);
support for broadcast;
single node mode, which allows users to detect a misconfigured local firewall;
more precise and rich statistics;
rate limiting;
duplicate packet detection.
BZ #696747
Users are advised to upgrade to this updated omping package, which resolves these bugs and adds
these enhancements. Note that this package is included as a Technology Preview.
4 .203. opencrypt oki
313
4 .203. opencrypt oki
4 .203.1. RHBA-2011:1572 — opencrypt oki bug fix and enhancement updat e
Updated opencryptoki packages that fix several bugs and add various enhancements are now
The openCryptoki package contains version 2.11 of the PKCS#11 API, implemented for IBM
Cryptocards. This package includes support for the IBM 4758 Cryptographic CoProcessor (with the
PKCS#11 firmware loaded), the IBM eServer Cryptographic Accelerator (FC 4960 on IBM eServer
System p), the IBM Crypto Express2 (FC 0863 or FC 0870 on IBM System z), and the IBM CP Assist
for Cryptographic Function (FC 3863 on IBM System z).
Bug Fixe s
B Z #734 4 89
When setting the length of an RSA key for the IBM Cryptographic Accelerator (ICA) token,
initialization of the CKA_MOD ULUS_BITS internal attribute of PKCS#11 was not properly
tested and the RSA key length could have been set incorrectly. As a consequence, RSA key
verification in the ICA token failed. To ensure that the RSA key is set correctly, two
conditions have been added in the respective function in the ICA specific library. The RSA
key operations now work properly on the ICA token.
B Z #7309 03
Prior to this update, the documentation provided with opencryptoki packages stated that
users using opencryptoki needed to be members of the " pkcs11" group but did not mention
the real privileges granted by adding a user to the group. Consequently, it was not clear
that the members of the " pkcs11" group are assumed to be fully trusted. With this update
opencryptoki(7) man page now contains a security note.
B Z #732756
Prior to this update, an unnecessary check in the attach_shared_memory() function was
made which therefore required explicit group membership regardless of the current effective
privileges. Consequently, upon installation of the opencryptoki packages and creation of
the " pkcs11" group, the root user was added to the group. However, root user should not
need access to the group to be able to access shared memory. With this update the shared
memory checks have been corrected and root user no longer requires membership of the
" pkcs11" group.
Enhance m e nt
B Z #6 9 3779
The openCryptoki package has been upgraded to upstream version 2.4, which provides a
number of bug fixes and enhancements over the previous version.
Users are advised to upgrade to these updated packages, which fix these bugs and add these
enhancements.
4 .204 . openldap
4 .204 .1. RHBA-2011:1514 — openldap bug fix and enhancement updat e
314
Updated openldap packages that fix number of bugs and add various enhancements are now
OpenLD AP is an open source suite of LD AP (Lightweight D irectory Access Protocol) applications
and development tools. LD AP is a set of protocols for accessing directory services (usually phone
book style information, but other information is possible) over the Internet, similar to the way D NS
(D omain Name System) information is propagated over the Internet. The openldap package contains
configuration files, libraries, and documentation for OpenLD AP.
B u g Fixes
B Z #717738
In a utility which uses both OpenLD AP and Mozilla NSS (Network Security Services)
libraries, OpenLD AP validates TLS peer and the certificate is cached by Mozilla NSS
library. The utility then sometimes terminated unexpectedly on the NSS_Shutd o wn()
function call because the client certificate was not freed and the cache could not be
destroyed. With this update, the peer certificate is freed in OpenLD AP library after certificate
validation is finished, all cache entries can now be deleted properly, and the
NSS_Shutd o wn() call now succeeds as expected.
B Z #726 9 84
When a program used the OpenLD AP library to securely connect to an LD AP server using
SSL/TLS, while the server was using a certificate with a wildcarded common name (for
example C N= *. exampl e. co m), the connection to the server failed. With this update, the
library has been fixed to verify wildcard hostnames used in certificates correctly, and the
connection to the server now succeeds if the wildcard common name matches the server
name.
B Z #727533
Previously, if an OpenLD AP server was installed with an SQL back end, the server
terminated unexpectedly after a few operations. An upstream patch, which updates data
types for storing the length of the values by using the OD BC (Open D atabase Connectivity)
interface, has been provided to address this issue. Now, the server no longer crashes when
the SQL back end is used.
B Z #6 84 810
The sl apd -co nfi g (5) and l d ap. co nf(5) manual pages contained incorrect
information about TLS settings. This update adds new TLS documentation relevant for the
Mozilla NSS cryptographic library.
B Z #6 9 89 21
When an LD IF (LD AP D ata Interchange Format) input file was passed to the ldapadd utility
or another o penl d ap client tool, and the file was not terminated by a newline character, the
client terminated unexpectedly. With this update, client utilities are able to properly handle
such LD IF files, and the crashes no longer occur in the described scenario.
B Z #701227
When an LD IF (LD AP D ata Interchange Format) input file was passed to the l d apad d
utility or another o penl d ap client tool, and a line in the file was split into two lines but was
missing correct indentation (the second line has to be indented by one space character),
the client terminated unexpectedly. With this update, client utilities are able to properly
handle such filetype LD IF files, and the crashes no longer occur in the described scenario.
315
B Z #709 4 07
When an OpenLD AP server was under heavy load or multiple replicating OpenLD AP
servers were running, and, at the same time, TLS/SSL mode with certificates in PEM (Privacy
Enhanced Mail) format was enabled, a race condition caused the server to terminate
unexpectedly after a random amount of time (ranging from minutes to weeks). With this
update, a mutex has been added to the code to protect calls of thread-unsafe Mozilla NSS
functions dealing with PEM certificates, and the crashes no longer occur in the described
scenario.
B Z #712358
When the openldap-servers package was installed on a machine while the initscript package
was not already installed, some scriptlets terminated during installation and error
messages were returned. With this update, initscripts have been defined as a required
package for openldap-servers, and no error messages are now returned in the described
scenario.
B Z #713525
When an openldap client had the T LS_R EQ C ER T option set to never and the
T LS_C AC ER T D IR option set to an empty directory, TLS connection attempts to a remote
server failed as TLS could not be initialized on the client side. Now, T LS_C AC ER T D IR
errors are ignored when T LS_R EQ C ER T is set to never, thus fixing this bug.
B Z #7229 23
When a sl apd . co nf file was converted into a new sl apd . d directory while the constraint
overlay was in place, the co nstrai nt_attri bute option of the si ze or co unt type was
converted to the o l cC o nstrai ntAttri bute option with its value part missing. A patch
has been provided to address this issue and constraint_attribute options are now
converted correctly in the described scenario.
B Z #7229 59
When an openldap client had the T LS_R EQ C ER T option set to never and the remote LD AP
server uses a certificate issued by a CA (Certificate Authority) whose certificate has expired,
connection attempts to the server failed due to the expired certificate. Now, expired CA
certificates are ignored when T LS_R EQ C ER T is set to never, thus fixing this bug.
B Z #7234 87
Previously, the openldap package compilation log file contained warning messages
returned by strict-aliasing rules. These warnings indicated that unexpected runtime
behavior could occur. With this update, the -fno -stri ct-al i asi ng option is passed to
the compiler to avoid optimizations that can produce invalid code, and no warning
messages are now returned during the package compilation.
B Z #723514
Previously, the o l cD D Sto l erance option was shortening TTL (time to live) for dynamic
entries, instead of prolonging it. Consequently, when an OpenLD AP server was configured
with the dds overlay and the o l cD D Sto l erance option was enabled, the dynamic entries
were deleted before their TTL expired. A patch has been provided to address this issue and
the real lifetime of a dynamic entry is now calculated properly, as described in
documentation.
B Z #729 087
When a utility used the OpenLD AP library and TLS to connect to a server, while the library
316
failed to verify a certificate or a key, a memory leak occurred in the
tl sm_fi nd _and _veri fy_cert_key() function. Now, verified certificates and keys are
properly disposed of when their verification fails, and memory leaks no longer occur in the
described scenario.
B Z #729 09 5
When the o l cVeri fyC l i ent option was set to al l o w in an OpenLD AP server or the
T LS_R EQ C ER T option was set to al l o w in a client utility, while the remote peer certificate
was invalid, OpenLD AP server/client connection failed. With this update, invalid remote
peer certificates are ignored, and connections can now be established in the described
scenario.
B Z #73116 8
When multiple TLS operations were performed by clients or other replicated servers, with the
openldap-servers package installed and TLS enabled, the server terminated unexpectedly.
With this update, a mutex has been added to the code to protect calls of thread-unsafe
Mozilla NSS initialization functions, and the crashes no longer occur in the described
scenario.
B Z #732001
When the openldap-servers package was being installed on a server for the first time,
redundant and confusing / character was printed during the installation. With this update,
the responsible RPM scriptlet has been fixed and the / character is no longer printed in the
described scenario.
B Z #723521
Previously, the sl apo -uni q ue manual page was missing information about quoting the
keywords and URIs (uniform resource identifiers), and the attribute parameter was not
described in the section about unique_strict configuration options. A patch has been
provided to address these issues and the manual page is now up-to-date.
B Z #74 259 2
Previously, when the openldap-servers package was installed, host-based ACLs did not
work. With this update, configuration flags that enable TCP wrappers have been updated,
and the host-based ACLs now work as expected.
En h an cemen t s
B Z #730311
Previously, when a connection to an LD AP server was created by specifying search root
D N (distinguished name) instead of the server hostname, the SRV records in D NS were
requested and a list of LD AP server hostnames was generated. The servers were then
queried in the order, in which the D NS server returned them but the priority and weight of
the records were ignored. This update adds support for priority/weight of the D NS SRV
records, and the servers are now queried according to their priority/weight, as required by
RFC 2782.
B Z #7124 9 4
In the default installation of the openldap-servers package, the configuration database
(cn= co nfi g ) could only be modified manually when the sl apd daemon was not running.
With this update, the l d api : /// interface has been enabled by default, and the ACLs
(access control lists) now enable the root user to modify the server configuration without
317
stopping the server and using OpenLD AP client tools if he is authenticated using
l d api : /// and the SASL/EXTERNAL mechanism.
B Z #7239 9 9
The openldap package was compiled without RELRO (read-only relocations) flags and was
therefore vulnerable to various attacks based on overwriting the ELF section of a program.
To increase the security of the package, the openldap spec file has been modified to use the
-Wl ,-z,rel ro flags when compiling the package. The openldap package is now provided
with partial RELRO protection.
Users of o p en ld ap are advised to upgrade to these updated packages, which fix these bugs and
4 .205. openmot if
4 .205.1. RHBA-2011:1228 — openmot if bug fix updat e
An updated openmotif package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The openmotif package includes the Motif shared libraries needed to run applications that are
dynamically linked against Motif, as well as the Motif Window Manager (MWM).
Bug Fix
B Z #584 300
Previously, under certain circumstances, LabelGadget could have drawn over a parent
window with the background color and, if using the Xft fonts, also over the text. With this
update, the text and background drawing functionality has been fixed so that the
aforementioned problems do not occur anymore.
All users of openmotif are advised to upgrade to this updated package, which fixes this bug.
4 .206. openoffice.org
4 .206.1. RHSA-2012:0705 — Import ant : openoffice.org securit y updat e
Updated openoffice.org packages that fix multiple security issues are now available for Red Hat
OpenOffice.org is an office productivity suite that includes desktop applications, such as a word
processor, spreadsheet application, presentation manager, formula editor, and a drawing program.
Secu rit y Fixes
C VE- 2012- 2334
An integer overflow flaw, leading to a buffer overflow, was found in the way OpenOffice.org
processed an invalid Escher graphics records length in Microsoft Office PowerPoint
documents. An attacker could provide a specially-crafted Microsoft Office PowerPoint
318
document that, when opened, would cause OpenOffice.org to crash or, potentially, execute
arbitrary code with the privileges of the user running OpenOffice.org.
C VE- 2012- 114 9
Multiple integer overflow flaws, leading to heap-based buffer overflows, were found in the
JPEG, PNG, and BMP image file reader implementations in OpenOffice.org. An attacker
could provide a specially-crafted JPEG, PNG, or BMP image file that, when opened in an
OpenOffice.org application, would cause the application to crash or, potentially, execute
Upstream acknowledges Sven Jacobi as the original reporter of CVE-2012-2334, and Tielei Wang
via Secunia SVCRP as the original reporter of CVE-2012-1149.
All OpenOffice.org users are advised to upgrade to these updated packages, which contain
backported patches to correct these issues. All running instances of OpenOffice.org applications
must be restarted for this update to take effect.
4 .207. openscap
4 .207.1. RHBA-2011:1618 — openscap bug fix and enhancement updat e
Updated openscap packages that fix various bugs and add several enhancements are now
The Security Content Automation Protocol (SCAP) is a line of standards that provide a standard
language for the expression of Computer Network D efense (CND ) related information. OpenSCAP is
a set of open source libraries for the integration of SCAP.
The openscap packages have been upgraded to upstream version 0.8.0, which provides a number
of bug fixes and enhancements over the previous version. The most important changes include
support for Open Vulnerability and Assessment Language (OVAL) version 5.8. (BZ #697648)
All users of openscap are advised to upgrade to these updated packages, which fix these bugs and
4 .208. openssh
4 .208.1. RHBA-2011:1551 — openssh bug fix and enhancement updat e
Updated openssh packages that fix multiple bugs and add one enhancement are now available for
OpenSSH is OpenBSD 's Secure Shell (SSH) protocol implementation. These packages include the
core files necessary for the OpenSSH client and server.
Bug Fixe s
B Z #6 8506 0
Prior to this update, SELinux could prevent users from uploading new files to their home
directories in a chrooted Secure File Transfer Protocol (SFTP) environment. This bug has
been fixed and users are now able to upload and download files in chrooted environment
using SFTP.
319
B Z #70539 7, B Z #7284 59
Prior to this update, multiple manual pages contained formatting errors. As a consequence,
error messages or warnings could be displayed when viewing these manual pages. The
formatting has been corrected and the error messages and warnings are no longer
displayed.
B Z #708056
Previously, when the SSH_USE_STRONG_RNG environment variable was set to 1, openssh
read 48 bytes from the /dev/random number generator to generate a seed. This seed was
too long and caused long delays on ssh or sshd startup and when connections were
received. Now, the SSH_USE_STRONG_RNG variable contains the number of bytes that
should be pulled from /dev/random (with a minimum default value of six) and the delays no
longer occur.
B Z #714 554
Previously, when restarting the dovecot service, ssh could become unresponsive. With this
update, the source code is modified and the dovecot service now restarts properly and
without hanging.
B Z #729 021
Prior to this update, the debuginfo file was missing in the debuginfo package. With this
update, the debuginfo file is included in the package and users can now view all debug
information.
B Z #7319 39
Previously, the lastlog command did not show the last login of a user with a big user ID on
32-bit architectures. With this update, the source code is modified so that the last login
information is now always recorded.
Enhance m e nt
B Z #6 9 5781
With this update, multiple manual pages now describe Internet Protocol version 6 (IPv6)
usage.
All users of openssh are advised to upgrade to these updated packages, which fix these bugs and
4 .208.2. RHEA-2012:0065 — openssh enhancement updat e
Updated openssh packages that add one enhancement are now available for Red Hat Enterprise
Linux 6.
OpenSSH is OpenBSD 's Secure Shell (SSH) protocol implementation. These packages include the
core files necessary for the OpenSSH client and server.
Enhance m e nt
B Z #78236 7
320
Previously, OpenSSH could use the Advanced Encryption Standard New Instructions (AESNI) instruction set only with the AES Cipher-block chaining (CBC) cipher. This update adds
support for Counter (CTR) mode encryption in OpenSSH so the AES-NI instruction set can
now be used efficiently also with the AES CTR cipher.
All users of openssh are advised to upgrade to these updated packages, which add this
enhancement.
4 .209. openssl
4 .209.1. RHSA-2012:0059 — Moderat e: openssl securit y updat e
Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 6.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
Secu rit y Fixes
C VE- 2011- 4 108
It was discovered that the D atagram Transport Layer Security (D TLS) protocol
implementation in OpenSSL leaked timing information when performing certain operations.
A remote attacker could possibly use this flaw to retrieve plain text from the encrypted
packets by using a D TLS server as a padding oracle.
C VE- 2011- 4 576
An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL.
Incorrect initialization of SSL record padding bytes could cause an SSL client or server to
send a limited amount of possibly sensitive data to its SSL peer via the encrypted
connection.
C VE- 2011- 4 577
A denial of service flaw was found in the RFC 3779 implementation in OpenSSL. A remote
attacker could use this flaw to make an application using OpenSSL exit unexpectedly by
providing a specially-crafted X.509 certificate that has malformed RFC 3779 extension data.
C VE- 2011- 4 6 19
It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts
required to support Server Gated Cryptography. A remote attacker could use this flaw to
make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by
continuously restarting the handshake.
All OpenSSL users should upgrade to these updated packages, which contain backported patches
to resolve these issues. For the update to take effect, all services linked to the OpenSSL library must
be restarted, or the system rebooted.
4 .209.2. RHSA-2012:04 26 — Moderat e: openssl securit y and bug fix updat e
321
Updated openssl packages that fix two security issues and one bug are now available for Red Hat
Secu rit y Fixes
C VE- 2012- 116 5
A NULL pointer dereference flaw was found in the way OpenSSL parsed
Secure/Multipurpose Internet Mail Extensions (S/MIME) messages. An attacker could use
this flaw to crash an application that uses OpenSSL to decrypt or verify S/MIME messages.
C VE- 2012- 0884
A flaw was found in the PKCS#7 and Cryptographic Message Syntax (CMS)
implementations in OpenSSL. An attacker could possibly use this flaw to perform a
Bleichenbacher attack to decrypt an encrypted CMS, PKCS#7, or S/MIME message by
sending a large number of chosen ciphertext messages to a service using OpenSSL and
measuring error response times.
This update also fixes a regression caused by the fix for CVE-2011-4619, released via RHSA2012:0060 and RHSA-2012:0059, which caused Server Gated Cryptography (SGC) handshakes to
fail.
All OpenSSL users should upgrade to these updated packages, which contain backported patches
4 .209.3. RHSA-2012:0518 — Import ant : openssl securit y updat e
Updated openssl, openssl097a, and openssl098e packages that fix one security issue are now
available for Red Hat Enterprise Linux 5 and 6.
Secu rit y Fix
C VE- 2012- 2110
Multiple numeric conversion errors, leading to a buffer overflow, were found in the way
OpenSSL parsed ASN.1 (Abstract Syntax Notation One) data from BIO (OpenSSL's I/O
abstraction) inputs. Specially-crafted D ER (D istinguished Encoding Rules) encoded data
read from a file or other BIO input could cause an application using the OpenSSL library to
crash or, potentially, execute arbitrary code.
322
All OpenSSL users should upgrade to these updated packages, which contain a backported patch
to resolve this issue. For the update to take effect, all services linked to the OpenSSL library must be
restarted, or the system rebooted.
4 .209.4 . RHSA-2012:0699 — Moderat e: openssl securit y and bug fix updat e
Updated openssl packages that fix one security issue and one bug are now available for Red Hat
Secu rit y Fix
C VE- 2012- 2333
An integer underflow flaw, leading to a buffer over-read, was found in the way OpenSSL
handled D TLS (D atagram Transport Layer Security) application data record lengths when
using a block cipher in CBC (cipher-block chaining) mode. A malicious D TLS client or
server could use this flaw to crash its D TLS connection peer.
Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges
Codenomicon as the original reporter.
On Red Hat Enterprise Linux 6, this update also fixes an uninitialized variable use bug, introduced
by the fix for CVE-2012-0884 (released via RHSA-2012:0426). This bug could possibly cause an
attempt to create an encrypted message in the CMS (Cryptographic Message Syntax) format to fail.
All OpenSSL users should upgrade to these updated packages, which contain a backported patch
4 .209.5. RHBA-2011:1730 — openssl bug fix and enhancement updat e
Updated openssl packages that fix two bugs and add several enhancements are now available for
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols, as well as a full-strength general-purpose cryptography library.
Bug Fixe s
B Z #6 9 386 3
Prior to this update, repeatedly loading and unloading the CHIL engine could cause the
calling program to terminate unexpectedly with a segmentation fault. This happened,
because a function pointer was not properly cleared after the engine was unloaded. With
this update, the underlying source code has been corrected to clear the function pointer
when the engine is unloaded, and the calling program no longer crashes in this scenario.
B Z #74 0188
D ue to missing variable initialization, the CHIL engine could occasionally fail to load. This
update corrects the underlying source code to properly initialize this variable so that the
323
update corrects the underlying source code to properly initialize this variable so that the
CHIL engine is no longer prevented from loading.
Enhance m e nt s
B Z #6 9 6 389
The performance of the AES encryption algorithm on CPUs with the AES-NI instruction set,
as well as SHA-1 and RC4 algorithms on 32-bit and 64-bit x86 architectures has been
significantly improved.
B Z #708511
For testing purposes, the OpenSSL source RPM package can now be built without
additional patches.
B Z #7239 9 4
Partial RELRO is now enabled during the build of the OpenSSL libraries to improve security
vulnerability properties of applications that use these libraries.
B Z #726 081
Users can now explicitly disable the built-in AES-NI (Advanced Encryption Standard New
Instruction) CPU instruction acceleration support by setting the
OPENSSL_D ISABLE_AES_NI environment variable to any value.
B Z #74 0872
Prior to this update, there was no direct KAT (known answer test) self-test for the SHA-2
algorithms in FIPS mode; these algorithms were self-tested only during the HMAC self-tests.
This update provides an implementation of the direct KAT self-test for SHA-2 algorithms.
B Z #6 9 3858
Previously, the manual and help pages for various subcommands of the openssl utility did
not specify all digest algorithms. This update adapts these pages and users are now
instructed to run the " openssl dgst -h" command, which lists all available digests.
All users of openssl are advised to upgrade to these updated packages, which fix these bugs and
4 .209.6. RHBA-2012:0360 — openssl bug fix updat e
An updated openssl package that fixes one bug is now available for Red Hat Enterprise Linux 6.
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols, as well as a full strength general-purpose cryptography library.
Bug Fix
B Z #79 9 256
The functions that implement Counter (CTR), Output Feedback (OFB), and Cipher
Feedback (CFB) block cipher modes previously incorrectly reset the counter of the
remaining bytes of a block that had not been used in the previous encryption or decryption
operation. Consequently, calling the encryption function on a small amount of data, that
324
was not aligned to the size of the block, led to incorrect data encryption or decryption in the
aforementioned modes. An upstream patch has been applied to correct the underlying
functions, and both encryption and decryption now work as expected in CTR, OFB, and
CFB modes.
All users of openssl are advised to upgrade to this updated package, which fixes this bug.
4 .210. openssl-ibmca
4 .210.1. RHBA-2011:1568 — openssl-ibmca bug fix and enhancement updat e
An updated openssl-ibmca package that fixes several bugs and adds various enhancements is
The openssl-ibmca package provides a dynamic OpenSSL engine for the IBM eServer Cryptographic
Accelerator (ICA) crypto hardware on IBM eServer zSeries machines.
The openssl-ibmca package has been upgraded to upstream version 1.2, which provides a number
All users of openssl-ibmca are advised to upgrade to this updated package, which fixes these bug
and adds these enhancements.
4 .210.2. RHBA-2012:04 33 — openssl-ibmca bug fix updat e
An updated openssl-ibmca package that fixes one bug is now available for Red Hat Enterprise Linux
6.
The openssl-ibmca package provides a dynamic OpenSSL engine for the IBM eServer Cryptographic
Accelerator (ICA) crypto hardware on IBM eServer zSeries machines.
Bug Fix
B Z #804 6 12
D ue to a bug in the ibmca OpenSSL engine code, applications using the OpenSSL library
terminated unexpectedly with a segmentation fault when running the ibmca engine with
ciphers enabled in output feedback (OFB) mode on IBM System z, z196 series, hardware. A
patch has been applied to address this issue, ensuring that the OpenSSL library no longer
crashes under these circumstances.
All users of openssl-ibmca are advised to upgrade to this updated package, which fixes this bug.
4 .211. openswan
4 .211.1. RHBA-2011:1761 — openswan bug fix and enhancement updat e
An updated openswan package that fixes several bugs and adds one enhancement is now available
Openswan is a free implementation of IPsec (Internet Protocol Security) and IKE (Internet Key
Exchange) for Linux. The openswan package contains the daemons and user space tools for setting
up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel.
Openswan 2.6.x also supports IKEv2 (RFC4306).
325
Bug Fixe s
B Z #7034 73
Openswan did not handle protocol and port configuration correctly if the ports were defined
and the host was defined with its hostname instead of its IP address. This update solves
this issue, and Openswan now correctly sets up policies with the correct protocol and port
under such circumstances.
B Z #7039 85
Prior to this update, very large security label strings received from a peer were being
truncated. The truncated string was then still used. However, this truncated string could turn
out to be a valid string, leading to an incorrect policy. Additionally, erroneous queuing of
on-demand requests of setting up an IPsec connection was discovered in the IKEv2
(Internet Key Exchange) code. Although not harmful, it was not the intended design. This
update fixes both of these bugs and Openswan now handles the IKE setup correctly.
B Z #704 54 8
Previously, Openswan failed to set up AH (Authentication Header) mode security
associations (SAs). This was because Openswan was erroneously processing the AH
mode as if it was the ESP (Encrypted Secure Payload) mode and was expecting an
encryption key. This update fixes this bug and it is now possible to set up AH mode SAs
properly.
B Z #7119 75
IPsec connections over a loopback interface did not work properly when a specific port was
configured. This was because incomplete IPsec policies were being set up, leading to
connection failures. This update fixes this bug and complete policies are now established
correctly.
B Z #7379 75
Openswan failed to support retrieving Certificate Revocation Lists (CRLs) from HTTP or
LD AP CRL D istribution Points (CD Ps) because the flags for enabling CRL functionality
were disabled on compilation. With this update, the flags have been enabled and the CRL
functionality is available as expected.
B Z #7379 76
Openswan failed to discover some certificates. This happened because the READ ME.x509
file contained incorrect information on the directories to be scanned for certification files
and some directories failed to be scanned. With this update, the file has been modified to
provide accurate information.
B Z #738385
The Network Manager padlock icon was not cleared after a VPN connection terminated
unexpectedly. This update fixes the bug and the padlock icon is cleared when a VPN
connection is terminated as expected.
B Z #74 26 32
Openswan sent wrong IKEv2 (Internet Key Exchange) ICMP (Internet Control Message
Protocol) selectors to an IPsec destination. This happened due to an incorrect conversion
of the host to network byte order. This update fixes this bug and Openswan now sends
correct ICMP selectors.
326
B Z #74 9 6 05
The Pluto daemon terminated unexpectedly with a segmentation fault after an IP address
had been removed from one end of an established IPsec tunnel. This occurred if the other
end of the tunnel attempted to reuse the particular IP address to create a new tunnel as the
previous tunnel failed to close properly. With this update, such tunnel is closed properly
and the problem no longer occurs.
Enhance m e nt
B Z #7379 73
On run, the " ipsec barf" and " ipsec verify" commands load new kernel modules, which
influences the system configuration. This update adds the " iptable-save" command, which
uses only iptables and does not load kernel modules.
Users are advised to upgrade to this updated openswan package, which fixes these bugs and adds
the enhancement.
4 .211.2. RHBA-2012:0339 — openswan bug fix updat e
An updated openswan package that fixes various bugs is now available for Red Hat Enterprise Linux
6.
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange
(IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These
services allow you to build secure tunnels through untrusted networks. Openswan supports the
NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel. Openswan 2.6.x also
supports IKEv2 (RFC4306).
Bug Fixe s
B Z #786 4 34
The Openswan IKEv2 implementation did not correctly process an IKE_SA_INIT message
containing an INVALID _KE_PAYLOAD Notify Payload. With this fix, Openswan now sends
the INVALID _KE_PAYLOAD notify message back to the peer so that IKE_SA_INIT can restart
with the correct KE payload.
B Z #786 4 35
Previously, Openswan sometimes generated a KE payload that was 1 byte shorter than
specified by the D iffie-Hellman algorithm. Consequently, IKE renegotiation failed at random
intervals. An error message in the following format was logged:
next payload type of ISAKMP Identification Payload has an unknown
value
This update checks the length of the generated key and if it is shorter than required, leading
zero bytes are added.
All users of openswan are advised to upgrade to this updated package, which fixes these bugs. Note
that the NSS library package needs to be version 3.13 or later for the KE payload and IKE
renegotiation issues to be fully resolved.
4 .211.3. RHBA-2012:054 1 — openswan bug fix updat e
327
Updated openswan packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
O p en swan is a free implementation of IPsec (Internet Protocol Security) and IKE (Internet Key
Exchange) for Linux. The openswan package contains the daemons and user space tools for setting
up Openswan. It supports the NETKEY/XFRM IPsec kernel stack that exists in the default Linux kernel.
Openswan 2.6 and later also supports IKEv2 (Internet Key Exchange Protocol Version 2), which is
defined in RFC5996.
B u g Fixes
B Z #81319 2
Openswan incorrectly processed traffic selector messages proposed by the responder (the
endpoint responding to an initiated exchange) if the traffic selectors were confined to a
subset of the initially proposed traffic selectors. As consequence, Openswan set up CHILD
security associations (SAs) incorrectly. With this update, Openswan initiates a new
connection for the reduced set of traffic selectors, and sets up IKE CHILD SAs accordingly.
B Z #81319 4
Openswan incorrectly processed traffic selector messages proposed by the initiator (the
endpoint which started an exchange) if the traffic selectors were confined to a subset of the
initially proposed traffic selectors. As a consequence, Openswan set up CHILD SAs
incorrectly. With this update, Openswan initiates a new connection for the reduced set of
traffic selectors, and sets up IKE CHILD SAs accordingly.
B Z #813355
When processing an IKE_AUTH exchange and the RESERVED field of the IKE_AUTH
request or response messages was modified, Openswan did not ignore the field as
expected according to the IKEv2 RFC5996 specification. Consequently, the IKE_AUTH
messages were processed as erroneous messages by Openswan and the IKE_AUTH
exchange failed. With this update, Openswan has been modified to ignore reserved fields
as expected and IKE_AUTH exchanges succeed in this scenario.
B Z #813356
When processing an IKE_SA_INIT exchange and the RESERVED field of the IKE_SA_INIT
request or response messages was modified, Openswan did not ignore the field as
expected according to the IKEv2 RFC5996 specification. Consequently, IKE_SA_INIT
messages with reserved fields set were processed as erroneous messages by Openswan
and the IKE_SA_INIT exchange failed. With this update, Openswan has been modified to
ignore reserved fields as expected and IKE_SA_INIT exchanges succeed in this scenario.
B Z #813357
Previously, Openswan did not behave in accordance with the IKEv2 RFC5996 specification
and ignored IKE_AUTH messages that contained an unrecognized Notify payload. This
resulted in IKE SAs being set up successfully. With this update, Openswan processes any
unrecognized Notify payload as an error and IKE SA setup fails as expected.
B Z #81336 0
When processing an INFORMATIONAL exchange, the responder previously did not send an
INFORMATIONAL response message as expected in reaction to the INFORMATIONAL
request message sent by the initiator. As a consequence, the INFORMATIONAL exchange
failed. This update corrects Openswan so that the responder now sends an
INFORMATIONAL response message after every INFORMATIONAL request message
received, and the INFORMATIONAL exchange succeeds as expected in this scenario.
328
B Z #81336 2
When processing an INFORMATIONAL exchange with a D elete payload, the responder
previously did not send an INFORMATIONAL response message as expected in reaction to
the INFORMATIONAL request message sent by the initiator. As a consequence, the
INFORMATIONAL exchange failed and the initiator did not delete IKE SAs. This updates
corrects Openswan so that the responder now sends an INFORMATIONAL response
message and the initiator deletes IKE SAs as expected in this scenario.
B Z #81336 4
When the responder received an INFORMATIONAL request with a D elete payload for a
CHILD SA, Openswan did not process the request correctly and did not send the
INFORMATIONAL response message to the initiator as expected according to the RFC5996
specification. Consequently, the responder was not aware of the request and only the
initiator's CHILD SA was deleted. With this update, Openswan sends the response message
as expected and the CHILD SA is deleted properly on both endpoints.
B Z #81336 6
Previously, Openswan did not respond to INFORMATIONAL requests with no payloads that
are used for dead-peer detection. Consequently, the initiator considered the responder to
be a dead peer and deleted the respective IKE SAs. This update modifies Openswan so that
an empty INFORMATIONAL response message is now sent to the initiator as expected, and
the initiator no longer incorrectly deletes IKE SAs in this scenario.
B Z #813372
When processing an INFORMATIONAL exchange and the RESERVED field of the
INFORMATIONAL request or response messages was modified, Openswan did not ignore
the field as expected according to the IKEv2 RFC5996 specification. Consequently, the
INFORMATIONAL messages were processed as erroneous by Openswan, and the
INFORMATIONAL exchange failed. With this update, Openswan has been modified to
ignore reserved fields as expected and INFORMATIONAL exchanges succeed in this
scenario.
B Z #813378
When the initiator received an INFORMATIONAL request with a D elete payload for an IKE
SA, Openswan did not process the request correctly and did not send the INFORMATIONAL
response message to the responder as expected according to the RFC5996 specification.
Consequently, the initiator was not aware of the request and only the responder's IKE SA
was deleted. With this update, Openswan sends the response message as expected and the
IKE SA is deleted properly on both endpoints.
B Z #813379
IKEv2 requires each IKE message to have a sequence number for matching a request and
response when re-transmitting the message during the IKE exchange. Previously,
Openswan incremented sequence numbers incorrectly so that IKE messages were
processed in the wrong order. As a consequence, any messages sent by the responder
were not processed correctly and any subsequent exchange failed. This update modifies
Openswan to increment sequence numbers in accordance with the RFC5996 specification
so that IKE messages are matched correctly and exchanges succeed as expected in this
scenario.
B Z #81356 5
Openswan did not ignore the minor version number of the IKE_SA_INIT request messages
329
as required by the RFC5996 specification. Consequently, if the minor version number of the
request was higher than the minor version number of the IKE protocol used by the receiving
peer, Openswan processed the IKE_SA_INIT messages as erroneous and the IKE_SA_INIT
exchange failed. With this update, Openswan has been modified to ignore the Minor
Version fields of the IKE_SA_INIT requests as expected and the IKE_SA_INIT exchange
succeeds in this scenario.
B Z #814 6 00
Older versions of kernel required the output length of the HMAC hash function to be
truncated to 96 bits therefore Openswan previously worked with 96-bit truncation length
when using the HMAC-SHA2-256 algorithm. However, newer kernels require the 128-bit
HMAC truncation length, which is as per the RFC4868 specification. Consequently, this
difference could cause incompatible SAs to be set on IKE endpoints due to one endpoint
using 96-bit and the other 128-bit output length of the hash function. This update modifies
the underlying code so that Openswan now complies with RFC4868 and adds support for
the new kernel configuration parameter, sha2_truncbug. If the " sha2_truncbug" parameter
is set to " yes" , Openswan now passes the correct key length to the kernel, which ensures
interoperability between older and newer kernels.
All users of openswan are advised to upgrade to these updated packages, which fix these bugs.
4 .211.4 . RHBA-2013:1160 — openswan bug fix updat e
Updated openswan packages that fix one bug are now available for Red Hat Enterprise Linux 6
Openswan is a free implementation of Internet Protocol Security (IPsec) and Internet Key Exchange
(IKE). IPsec uses strong cryptography to provide both authentication and encryption services. These
services allow you to build secure tunnels through untrusted networks.
B u g Fix
B Z #9 834 51
The openswan package for Internet Protocol Security (IPsec) contains two diagnostic
commands, " ipsec barf" and " ipsec look" , that can cause the iptables kernel modules for
NAT and IP connection tracking to be loaded. On very busy systems, loading such kernel
modules can result in severely degraded performance or lead to a crash when the kernel
runs out of resources. With this update, the diagnostic commands do not cause loading of
the NAT and IP connection tracking modules. This update does not affect systems that
already use IP connection tracking or NAT as the iptables and ip6tables services will
already have loaded these kernel modules.
Users of openswan are advised to upgrade to these updated packages, which fix this bug.
4 .212. oprofile
4 .212.1. RHBA-2011:1712 — oprofile bug fix and enhancement updat e
An updated oprofile package that fixes one bug and adds two enhancements is now available for
330
OProfile is a system-wide profiler for Linux systems. The profiling runs transparently in the
background and profile data can be collected at any time. OProfile uses the hardware performance
counters provided on many processors, and can use the Real Time Clock (RTC) for profiling on
processors without counters.
Bug Fix
B Z #71786 0
Previously, OProfile could encounter a buffer overrun in the OProfile daemon. This update
modifes oprofiled so that OProfile now checks and reports if the filename is too large for the
buffer.
Enhance m e nt s
B Z #6 9 6 56 5
Previously, the OProfile profiler did not provide the performance monitoring events for the
Intel Sandy Bridge processor. This update provides the files for the Intel Sandy Bridge
processor specific performance events and adds the code to identify Intel Sandy Bridge
processors. Now, OProfile provides Intel Sandy Bridge specific events.
B Z #6 9 5851
Previously, the OProfile profiler did not identify some Intel Westmere processors causing
OProfile to use the fallback Intel Architected events. Now, OProfile provides Intel Westmere
specific events for Intel Westmere-EX processors (model 0x2f).
All OProfile users are advised to upgrade to this updated package which fixes this bug and adds
these enhancements.
4 .213. pacemaker
4 .213.1. RHBA-2011:1669 — pacemaker bug fix and enhancement updat e
Updated pacemaker packages that fix several bugs and add various enhancements are now
The Pacemaker Cluster Resource Manager provides the ability to create and manage highavailability server applications in the event of system downtime.
The pacemaker packages have been upgraded to upstream version 1.1.6, which provides a number
of bug fixes and enhancements over the previous version. In particular, this update fixes the
following bugs:
B Z #708722
Prior to this update, when the pacemaker daemon did not have permission to write to the
/var/log/cluster/corosync.log file, it wrote the following error to the system log:
attrd: Cannot append to /var/log/cluster/corosync.log: Permission
denied
This update applies a patch to ensure that when such an error occurs, Pacemaker logs this
problem on startup and no longer tries to access this file.
331
B Z #720136
When using the CRM command line interface, running the " configure" , " template" , and " list"
commands in this particular order caused the crm process to terminate unexpectedly with
NameError: global name 'listconfigs' is not defined
With this update, the underlying source code has been modified to address this issue so
that CRM no longer crashes.
B Z #74 3175
Under certain circumstances, an attempt to fence a node may have caused Pacemaker to
stop responding when accessing the /var/run/cluster/fenced_override file. With this update,
this error no longer occurs, and Pacemaker now works as expected in this scenario.
B Z #74 5526
Prior to this update, an error in the interaction between Pacemaker and CMAN's fencing
subsystem prevented reliable fencing operation. This update applies a patch that corrects
this error so that such fencing operations are now reliable.
B Z #70879 7
In the previous version of the crm(8) manual page, the EXAMPLES section incorrectly listed
several example commands on a single line. This made it particularly difficult for a reader to
distinguish these commands. This update introduces a new, completely rewritten manual
page, which lists each example command on a separate line.
All users who want to use the pacemaker Technology Preview should upgrade to these updated
packages, which provide numerous bug fixes and enhancements.
4 .214 . pam
4 .214 .1. RHEA-2011:1732 — pam enhancement updat e
Updated pam packages that add one enhancement are now available for Red Hat Enterprise Linux.
Pluggable Authentication Modules (PAM) provide a system for administrators to set up
authentication policies without the need to recompile programs to handle authentication.
Enhance m e nt
B Z #727286
With this update, the libraries are recompiled with the partial read only relocation (RELRO)
flag to enhance the security of applications that use the libraries.
All pam users are advised to upgrade to these updated packages, which add this enhancement.
4 .214 .2. RHEA-2012:04 82 — pam enhancement updat e
Updated pam packages that add one enhancement are now available for Red Hat Enterprise Linux 6.
332
Pluggable Authentication Modules (PAM) provide a system to set up authentication policies without
the need to recompile programs to handle authentication.
Enhance m e nt
B Z #809 370
The pam_cracklib is a PAM module for password-quality checking used by various
applications. With this update, the pam_cracklib module has been improved with additional
password-quality checks. The pam_cracklib module now allows to check whether a new
password contains the words from the GECOS field from entries in the " /etc/passwd" file.
The GECOS field is used to store additional information about the user, such as the user's
full name or a phone number, which could be used by an attacker for an attempt to crack
the password. The pam_cracklib module now also allows to specify the maximum allowed
number of consecutive characters of the same class (lowercase, uppercase, number and
special characters) in a password.
All users of pam are advised to upgrade to these updated packages, which add this enhancement.
4 .215. pam_krb5
4 .215.1. RHBA-2011:1704 — pam_krb5 bug fix updat e
An updated pam_krb5 package that fixes various bugs is now available for Red Hat Enterprise Linux
6.
The pam_krb5 package allows PAM-aware applications to check user passwords with the help of a
Kerberos KD C.
Bug Fixe s
B Z #6 9 0832
When a client logged into a remote host using SSH with GSSAPI authentication, configured
to re-delegate credentials when the client obtains fresh credentials, pam_krb5 created a
new credential cache on the remote host in addition to the cache created by SSH.
Consequently, the credential cache that pam_krb5 had created for the user's session would
not be updated when they were renewed on the client. This update prevents pam_krb5 from
creating its own cache in the scenario described, so the credential delegation mechanism is
not interfered with.
B Z #700520
Prior to this update, when a client attempted to perform a password change after using a
non-password-based pre-authentication mechanism (such as a Smart Card), the pam_krb5
module would unnecessarily prompt for the user's PIN (twice). This update corrects this
bug.
B Z #7206 09 , B Z #7224 89 , B Z #733803
When a client, using SSH, logged into a remote host using the PasswordAuthentication
mechanism, two credential caches would be created for the user on the remote host, but
only one of them would be removed when the user logged out. This update no longer
creates the second, redundant cache.
All users of pam_krb5 are advised to upgrade to this updated package, which fixes these bugs.
333
4 .216. pam_ldap
4 .216.1. RHBA-2011:1701 — pam_ldap bug fix updat e
An updated pam_ldap package that fixes various bugs is now available for Red Hat Enterprise Linux
6.
The pam_ldap package provides the pam_ldap.so module, which allows PAM-aware applications to
check user passwords with the help of a directory server.
Bug Fixe s
B Z #735375
All entries stored in an LD AP directory have a unique " D istinguished Name," or D N. The top
level of the LD AP directory tree is the base, referred to as the " base D N" . When the host
option is not set the pam_ldap.so module uses D NS SRV records to determine which
servers to contact to perform authentication. Prior to this update, the LD AP base " D N"
option was derived from the D NS domain name, ignoring any value that had been set for
" base" in the pam_ldap.conf file. As a consequence, ldap lookups failed. The " base"
setting in the configuration file, pam_ldap.conf, is now correctly parsed before the
configuration is read from D NS. As a result, " base" is now set to the value given in the
pam_ldap.conf file and is used as the base (starting point) to search for a user's
credentials.
B Z #6 8874 7
Prior to this update, pam_ldap (when called by a process which was running as root) did
not re-authenticate the user during a password change operation. As a consequence,
reuse of the old password was not prevented. This update backports a fix to ensure that
when a privileged application initiates a password change operation, for a user whose
password has expired, that the current password is again verified, allowing client-side
password-quality checking to be performed when using LD AP accounts.
All users of pam_ldap are advised to upgrade to this updated package, which fixes these bugs.
4 .217. papi
4 .217.1. RHBA-2011:1755 — papi bug fix and enhancement updat e
An updated papi package that fixes multiple bugs and adds various enhancements is now available
PAPI (Performance Application Programming Interface) is a software library that provides access to
the processor's performance-monitoring hardware.
The papi package has been upgraded to upstream version 4.1.3, which provides a number of bug
All PAPI users are advised to upgrade to this updated package, which fixes these bugs and adds
these enhancements.
4 .218. part ed
334
4 .218.1. RHBA-2011:1626 — part ed bug fix and enhancement updat e
Updated parted packages that fix three bugs and add one enhancement are now available for Red
The parted packages allow you to create, destroy, resize, move, and copy hard disk partitions. The
parted program can be used for creating space for new operating systems, reorganizing disk usage,
and copying data to new hard disks.
Bug Fixe s
B Z #6 6 54 9 6
Prior to this update, parted incorrectly calculated the position of the new partition when
partitions of 1 or smaller units (eg. 1GB, 0.5GB) were created. As a result, only an extremely
small partition was created. This update fixes the snap problem for 1 unit and no longer
allows defining units less than 1. The value 0 is still allowed when specifying the start of the
device. The next smaller units should be used instead of a value smaller than 1. eg. Use
500MB instead of 0.5GB.
B Z #6 9 256 2
Prior to this update, a cylinder-head-sector (CHS) value was, under certain circumstances,
especially with factory partitioned USB drives, not found. As a result, parted threw an
assertion when attempting to guess the CHS used to create a partition table, even though it
was safe to continue without the CHS information. This update no longer throws an
assertion when it cannot guess the CHS values used to create a partition table.
B Z #74 6 09 8
Prior to this update, several tests of the parted test suite failed when running as root on IBM
System z and 64-bit PowerPCs. With this update, the tests run as expected.
Enhance m e nt
B Z #71114 8
GPT disklabels now support the legacy_boot flag to allow bootloaders such as syslinux's
hybrid gptmbr to be used on BIOS and EFI systems. It is set with the set command in parted.
All parted users are advised to upgrade to these updated packages, which fix these bugs and add
this enhancement.
4 .219. passwd
4 .219.1. RHEA-2012:0328 — passwd enhancement updat e
An updated passwd package that adds two enhancements is now available for Red Hat Enterprise
Linux 6.
The passwd packages contain a system utility, " passwd" , which changes passwords and displays
password status information using the Pluggable Authentication Modules (PAM) and Libuser
libraries.
Enhance m e nt s
335
B Z #79 1139
The passwd command now supports a new option, " -e" , that allows the system
administrator to expire the password of the specified user so that the user is forced to
change the password on the next login attempt.
B Z #79 114 3
The passwd executable file is a setuid program so it needs to be well protected against
various types of attacks. With this update, passwd has been built with the Position
Independent Executables (PIE) flag, " -fPIE -pie" , and the full read-only relocations (RELRO)
flags, " -Wl,-z,relro,-z,now" . The passwd binary is now well protected against " return-to-text"
and memory corruption attacks and also against attacks based on the program's ELF
section overwriting.
All users of passwd are advised to upgrade to this updated package, which adds these
enhancements.
4 .220. pciut ils
4 .220.1. RHBA-2011:1760 — pciut ils bug fix and enhancement updat e
Updated pciutils packages that fix a bug and add an enhancement are now available for Red Hat
Enterprise Linux 6.
The pciutils package contains various utilities for inspecting and manipulating devices connected to
the PCI bus.
Bug Fix
B Z #74 06 30
Previously, in an attempt to free data structures from memory via the pci_free_cap()
function, the " glibc detected *** double free or corruption (!prev):" error message was
returned and the operation failed. A patch has been provided to address this issue and
freeing system resources now works properly.
Enhance m e nt
B Z #74 2223
With this update, TPH (Transaction Processing Hints) and LTR (Latency Tolerance
Reporting) reporting capabilities have been added to the pciutils package to support the
PCI Express 3.0 standard.
All pciutils users should upgrade to these updated packages, which fix this bug and add this
enhancement.
4 .221. perl-Dat e-Manip
4 .221.1. RHEA-2011:1560 — perl-Dat e-Manip enhancement updat e
An updated perl-D ate-Manip package that upgrades the D ate::Manip module to upstream version
6.24 is now available for Red Hat Enterprise Linux 6.
336
The D ate::Manip module provides a mechanism for Perl scripts to perform common date or time
operations, such as comparing two timestamps or parsing international times.
Enhance m e nt
B Z #6 729 34
Among other flaws, the previous version of the perl-D ate-Manip package included outdated
time zone definitions and an old API that is now considered deprecated. This update
upgrades the perl-D ate-Manip package to upstream version 6.24, which provides up-todate time zone definitions and version 6 of the API. Users are still able to use the old API
version 5 by explicitly using the D ate::Manip::D M5 module.
All users of perl-D ate-Manip are advised to upgrade to this updated package, which adds this
enhancement.
4 .222. perl-Net -DNS
4 .222.1. RHBA-2011:1271 — perl-Net -DNS bug fix updat e
An updated perl-Net-D NS package that fixes one bug is now available for Red Hat Enterprise Linux
6.
The perl-Net-D NS package contains a collection of Perl modules that act as a D omain Name System
(D NS) resolver. It allows the programmer to perform D NS queries that are beyond the capabilities of
the gethostbyname and gethostbyaddr routines.
Bug Fix
B Z #6 88211
Prior to this update, perl-Net-D NS lacked a complete IPv6 functionality. This update adds
the dependencies related to IPv6 and, in addition, prevents the possibility of interactive
(re)build.
All users of perl-Net-D NS should upgrade to this updated package, which fixes this bug.
4 .223. perl-Net Addr-IP
4 .223.1. RHEA-2011:0873 — perl-Net Addr-IP bug fix updat e
An updated perl-NetAddr-IP package that fixes one bug is now available for Red Hat Enterprise Linux
6.
The perl-NetAddr-IP module provides an object-oriented abstraction on top of IP addresses or IP
subnets, that allows for easy manipulations.
Bug Fix
B Z #6 9 2857
337
Prior to this update, the documentation included in the perl-NetAddr-IP module did not
contain a correct description with regard to the addition of a constant to an IP address. The
problem has been resolved in this update by correcting the respective part of the
documentation.
All users of perl-NetAddr-IP are advised to upgrade to this updated package, which fixes this bug.
4 .224 . perl-Sys-Virt
4 .224 .1. RHBA-2011:1573 — perl-Sys-Virt bug fix and enhancement updat e
An updated perl-Sys-Virt package that fixes one bug and adds one enhancement is now available
The perl-Sys-Virt package provides application programming interfaces (APIs) for managing virtual
machines from Perl, using the libvirt library.
Bug Fix
B Z #70579 2
Prior to this update, the flags argument was hardcoded to value 0 in
virD omainGetXMLD esc. As a result, security sensitive domain information was not
accessible using the libvirt perl bindings. This update adds the flags parameter to all
get_xml_description methods. Now, the security sensitive domain information can be
obtained as expected.
Enhance m e nt
B Z #717887
The Sys::Virt module has been updated to provide support for the new APIs introduced
between version 0.8.7 and 0.9.3 of the libvirt library.
All users of perl-Sys-Virt are advised to upgrade to this updated package, which fixes this bug and
4 .225. perl-T est -Spelling
4 .225.1. RHBA-2011:1093 — perl-T est -Spelling bug fix updat e
An updated perl-Test-Spelling package that fixes one bug is now available for Red Hat Enterprise
Linux 6.
The perl-Test-Spelling package allows users to check spelling of a POD file.
Bug Fix
B Z #6 36 835
Prior to this update, the perl-Test-Spelling package erroneously required the aspell
package instead of the hunspell package at runtime. This update fixes the problem by
correcting perl-Test-Spelling's runtime dependencies so that the hunspell package is now
required, as expected.
338
All users of perl-Test-Spelling should upgrade to this updated package, which fixes this bug.
4 .226. php
4 .226.1. RHSA-2012:0019 — Moderat e: php53 and php securit y updat e
Updated php53 and php packages that fix two security issues are now available for Red Hat
Enterprise Linux 5 and 6 respectively.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.
Secu rit y Fixes
C VE- 2011- 4 885
It was found that the hashing routine used by PHP arrays was susceptible to predictable
hash collisions. If an HTTP POST request to a PHP application contained many
parameters whose names map to the same hash value, a large amount of CPU time would
be consumed. This flaw has been mitigated by adding a new configuration directive,
max_input_vars, that limits the maximum number of parameters processed per request. By
default, max_input_vars is set to 1000.
C VE- 2011- 4 56 6
An integer overflow flaw was found in the PHP exif extension. On 32-bit systems, a
specially-crafted image file could cause the PHP interpreter to crash or disclose portions of
its memory when a PHP script tries to extract Exchangeable image file format (Exif)
metadata from the image file.
Red Hat would like to thank oCERT for reporting CVE-2011-4885. oCERT acknowledges Julian
Wälde and Alexander Klink as the original reporters of CVE-2011-4885.
All php53 and php users should upgrade to these updated packages, which contain backported
patches to resolve these issues. After installing the updated packages, the httpd daemon must be
restarted for the update to take effect.
4 .226.2. RHSA-2012:0093 — Crit ical: php securit y updat e
Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5
and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. A
Secu rit y Fix
C VE- 2012- 0830
It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0071, RHSA2012:0033, and RHSA-2012:0019 for php packages in Red Hat Enterprise Linux 4, 5, and 6
339
respectively) introduced an uninitialized memory use flaw. A remote attacker could send a
specially-crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute
arbitrary code.
All php users should upgrade to these updated packages, which contain a backported patch to
resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the
4 .226.3. RHSA-2012:054 6 — Crit ical: php securit y updat e
Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 5
and 6.
Secu rit y Fix
C VE- 2012- 1823
A flaw was found in the way the php-cgi executable processed command line arguments
when running in CGI mode. A remote attacker could send a specially-crafted request to a
PHP script that would result in the query string being parsed by php-cgi as command line
options and arguments. This could lead to the disclosure of the script's source code or
arbitrary code execution with the privileges of the PHP interpreter.
Red Hat is aware that a public exploit for this issue is available that allows remote code execution in
affected PHP CGI configurations. This flaw does not affect the default configuration in Red Hat
Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts.
4 .226.4 . RHSA-2013:1061 — Crit ical: php securit y updat e
Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 5.3
Long Life, and Red Hat Enterprise Linux 5.6, 6.2 and 6.3 Extended Update Support.
available from the CVE link associated with the description below.
Secu rit y Fix
C VE- 2013- 4 113
A buffer overflow flaw was found in the way PHP parsed deeply nested XML documents. If a
PHP application used the xml_parse_into_struct() function to parse untrusted XML content,
an attacker able to supply specially-crafted XML could use this flaw to crash the application
or, possibly, execute arbitrary code with the privileges of the user running the PHP
interpreter.
34 0
4 .227. php-pear
4 .227.1. RHSA-2011:174 1 — Low: php-pear securit y and bug fix updat e
An updated php-pear package that fixes one security issue and multiple bugs is now available for
The php-pear package contains the PHP Extension and Application Repository (PEAR), a framework
and distribution system for reusable PHP components.
Secu rit y Fix
C VE- 2011- 1072
It was found that the " pear" command created temporary files in an insecure way when
installing packages. A malicious, local user could use this flaw to conduct a symbolic link
attack, allowing them to overwrite the contents of arbitrary files accessible to the victim
running the " pear install" command.
Bug Fixe s
B Z #6 5189 7
The php-pear package has been upgraded to version 1.9.4, which provides a number of
bug fixes over the previous version.
B Z #74 736 1
Prior to this update, php-pear created a cache in the " /var/cache/php-pear/" directory when
attempting to list all packages. As a consequence, php-pear failed to create or update the
cache file as a regular user without sufficient file permissions and could not list all
packages. With this update, php-pear no longer fails if writing to the cache directory is not
permitted. Now, all packages are listed as expected.
All users of php-pear are advised to upgrade to this updated package, which corrects these issues.
4 .228. pidgin
4 .228.1. RHSA-2011:1821 — Moderat e: pidgin securit y updat e
Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 6.
34 1
Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant
messaging networks simultaneously.
Secu rit y Fixes
C VE- 2011- 4 6 01
An input sanitization flaw was found in the way the AOL Open System for Communication in
Realtime (OSCAR) protocol plug-in in Pidgin, used by the AOL ICQ and AIM instant
messaging systems, escaped certain UTF-8 characters. A remote attacker could use this
flaw to crash Pidgin via a specially-crafted OSCAR message.
C VE- 2011- 4 6 02
Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible
Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker
could use these flaws to crash Pidgin via a specially-crafted Jingle multimedia message.
Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges
Evgeny Boger as the original reporter of CVE-2011-4601, and Thijs Alkemade as the original reporter
of CVE-2011-4602.
All Pidgin users should upgrade to these updated packages, which contain backported patches to
resolve these issues. Pidgin must be restarted for this update to take effect.
4 .229. pinent ry
4 .229.1. RHBA-2011:1096 — pinent ry bug fix updat e
Updated pinentry packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The pinentry package contains a collection of simple PIN or password entry dialogs, which utilize the
Assuan protocol as described by the Project Aegypten. The pinentry package also contains the
command line version of the PIN entry dialog.
Bug Fix
B Z #6 776 6 5
Prior to this update, there was a problem when entering a password using the pinentrycurses utility; an error message was displayed instead of the password entry dialog if
pinentry-curses was run under a user different from the user who owned the current tty. This
bug has been fixed in this update so that no error message is now displayed and pinentrycurses asks for a password as expected.
All users of pinentry are advised to upgrade to these updated packages, which fix this bug.
4 .230. piranha
4 .230.1. RHBA-2011:1716 — piranha bug fix updat e
An updated piranha package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
34 2
Piranha provides high-availability and load balancing services for Red Hat Enterprise Linux. The
piranha package contains various tools to administer and configure the Linux Virtual Server (LVS),
as well as the heartbeat and failover components. LVS is a dynamically-adjusted kernel routing
mechanism that provides load balancing, primarily for Web and FTP servers.
Bug Fixe s
B Z #59 3728
Previously, failure to start a single nanny daemon could terminate all the other nanny
daemons. As a result, piranha could stop routing requests to real servers if one service
monitor failed. This update adds a new option in the lvs.cf file, " hard_shutdown" . The old
behavior is retained with the default setting of 1. If a 0 value is set, a single nanny does not
kill all nannies but the system needs manual intervention.
B Z #6 28872
Previously, the piranha-gui init script searched for programs in the current working
directory. As a consequence, SELinux Access Vector Cache (AVC) denials could be
generated when starting the piranha-gui service in unusual locations without the " service"
utility. The init script has been modified to avoid this problem. Now, SELinux denials are no
longer logged.
B Z #70314 6
Adding or removing Virtual Service descriptions in the LVS configuration requires restarting
the pulse daemon (service pulse reload). Prior to this update all services (running or not)
were started. When reloading the pulse daemon, if a service did not have any servers
defined, the pulse daemon terminated unexpectedly with a segmentation fault. With this
update, only running services are restarted. Now, the pulse daemon reloads as expected.
B Z #706 881
Prior to this update, terminating a nanny or an lvs daemon did not trigger a failover to the
backup server. As a consequence, the load balancer stopped working. With this update, the
pulse daemon shuts down if either the nanny daemon or the lvs daemon terminates. Now,
the load balancer works as expected.
B Z #708036
Previously, the piranha-gui utility reported an HTTP 414 error (Request-URI Too Long) if too
many virtual servers were defined. As a consequence, when trying to edit a virtual server,
the error message " Too many arguments in the URL" appeared. With this update, the
number of defined virtual servers does not affect the length of the URI. Now, error messages
are no longer reported.
B Z #729 828
This update adds the 255.255.254.0 network mask to the piranha-gui drop-down menus.
All users of piranha are advised to upgrade to this updated package, which fixes these bugs.
4 .231. pki-core
4 .231.1. RHBA-2011:1655 — pki-core bug fix and enhancement updat e
34 3
Updated pki-core packages that fix several bugs and add various enhancements are now available
Red Hat Certificate System is an enterprise software system designed to manage enterprise public key
infrastructure (PKI) deployments. PKI Core contains fundamental packages required by Red Hat
Certificate System, which contain the Certificate Authority (CA) subsystem.
Note: The Certificate Authority component provided by this update is not intended to be used as a
standalone server. It is installed and operates as a part of the Red Hat Enterprise Identity (IPA).
Bug Fix
B Z #6 9 879 6
Configuration of a certificate server failed with the following error: " Unable to retrieve CA
chain: request failed with HTTP status 500" . This occurred due to a race condition between
the process reading the /etc/pki-ca/registry.cfg file and the restart process as registry.cfg
was timestamped on startup. registry.cfg is now left unmodified on startup.
B Z #7286 51
On Red Hat Certificate System 8, the 64-bit pkicreate script was attempting to use
libCryptoki2.so for SafeNet Luna SA and failed to load it as the library did not exist. The
code has been changed and pkicreate on 64-bit platforms now uses libCryptoki2_64.so.
B Z #6 9 1076
The pkiremove command removed all instances of the CA (Certification Authority) type
instead of removing only a specific instance. This occurred because pkiremove removed
the registry directory /etc/sysconfig/pki/[subsystem_type] instead of removing only the
registry entry for the specific instance in the /etc/sysconfig/pki/[type]/ directory. The
command now removes only the respective type instance.
B Z #708075
In a NAT (Network Address Translation) environment, authentication of an IPA machine
clone could fail with a NullPointerException on machine setup. This happened when the
clone tried to authenticate itself with a NAT translated IP address that was different from the
IP address previously used for the authentication. Therefore, the master IPA machine
rejected the authentication. As the machines use a shared key throughout the connection,
the IP check was redundant and has been removed.
B Z #6 9 3835
PKI provided Apache Tomcat configuration files which set " user:group" to
" pkiuser:pkiuser" . Therefore, the /var/log/tomcat6/catalina.out file was also owned by
pkiuser. As the file needs to be owned by Tomcat 6, the TOMCAT_LOG variable has been
added to the configuration files and Tomcat now uses " tomcat:tomcat" as its " user:group" .
B Z #726 785
The D ogtag subsystem did not detect a replication failure if the replication failed during
clone setup. Therefore, D ogtag kept looking for the root directory on the directory server
and got into an infinite loop as the replication failed and the root directory was never
created. D ogtag now waits for the replication to finish and the problem no longer occurs.
B Z #700522
34 4
D ue to changes in startup scripts, the PKI SElinux policy was not applied and tomcat6
instances ran unconfined. The startup scripts now applies the SElinux policy if enabled
and tomcat6 instances now run with the restrictions defined in the policy.
Enhance m e nt s
B Z #729 126
The default validity period of the default and constraint server certificates has been
changed to 2 years.
B Z #6 89 89 1
The number of restarts needed during installation of D ogtag Certicate Server was
decreased.
B Z #6 89 9 09
Several checks have been added to speed up installation of D ogtag Certificate Server.
B Z #7226 34
The client usage flag has been added to the caIPAserviceCert server certificate. This allows
an IPA server to use the server certificate as a client certificate and authenticate itself.
B Z #737179
The pki-setup-proxy script that adds a configuration file to Apache Tomcat, updates the
server.xml and CS.cfg files has been added. The script upgrades the proxy configuration of
an existing IPA installation to the AJP (Apache JServ Protocol) proxy code introduced in
upstream version 2.1.1.
Users should upgrade to these updated pki-core packages, which fix the bugs and add the
enhancements.
4 .231.2. RHBA-2012:0357 — pki-core bug fix and enhancement updat e
Updated pki-core packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
Red Hat Certificate System is an enterprise software system designed to manage enterprise public key
infrastructure (PKI) deployments. pki-core contains fundamental packages required by Red Hat
Certificate System, which contain the Certificate Authority (CA) subsystem.
Note: The Certificate Authority component provided by this update is not intended to be used as a
standalone server. It is installed and operates as a part of Identity Management (IPA) in Red Hat
Enterprise Linux.
B u g Fix
B Z #772222
When installing IPA, the installer uses 'sslget' to communicate with the CA. The server sends
out a full response to the sslget client, but the client receives only 5 bytes of the encrypted
stream.
Users should upgrade to these updated pki-core packages, which fix the listed bug.
4 .232. plymout h
34 5
4 .232.1. RHBA-2011:1766 — plymout h bug fix updat e
Updated plymouth packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
Plymouth provides a graphical boot animation in place of the text messages that are normally
displayed. Text messages are instead redirected to a log file for viewing after boot.
Bug Fixe s
B Z #719 56 9
Previously, plymouth incorrectly parsed " console" parameters that were set to " tty0" on the
kernel command line. When the user had connected the serial port from another machine
and rebooted the system, the boot log was not redirected to the serial console and the user
could not view it as a consequence. A patch has been applied to address the issue so that
users can now view the output of the boot log.
B Z #74 1515
Previously, plymouth did not perform proper tty clean up on some consoles if more than
one line contained the " console=" parameter. The terminal was locked as a consequence
and the user was not able to log in from the serial console. With this update, plymouth is
modified to correctly handle multiple lines containing " console=" and users are now able to
log in as expected.
All users of plymouth are advised to upgrade to these updated packages, which fix these bugs.
4 .233. policycoreut ils
4 .233.1. RHBA-2011:1637 — policycoreut ils bug fix updat e
Updated policycoreutils packages that fix several bugs are now available for Red Hat Enterprise
Linux 6.
The policycoreutils packages contain the core utilities that are required for the basic operation of a
Security-Enhanced Linux (SELinux) system and its policies.
Bug Fixe s
B Z #6 6 206 4
D ue to the wrong run_init pseudo terminal (pty) handling, it was not possible to start the
sshd daemon properly with the run_init utility. With this update, the bug has been fixed so
that run_init now works, as expected.
B Z #6 6 6 86 1
If the " -D " option was used with the " semanage module" command, it resulted in a
traceback. With this update, the functionality that allowed removal of every single policy
module from a system has been removed from the semanage utility so that the bug is now
fixed.
B Z #6 7754 1, B Z #6 7754 2
Previously, the semanage(8) man page did not describe certain options. This update
corrects the man page so that these options are now described, as expected.
34 6
B Z #6 89 153, B Z #6 9 5288, B Z #6 9 6 809 , B Z #73504 4
Previously, the SELinux graphical tools and the common SELinux tools did not work on
systems with SELinux disabled. This bug has been fixed by allowing the SELinux graphical
tools and the common SELinux tools to run on these systems.
B Z #6 9 0502
Previously, running the " sandbox -H /tmp/testuserhome ls ~" command resulted in a
traceback. With this update, the command now works as expected.
B Z #70286 0
Previously, the gnome-python2-gtkhtml2 package was required by the policycoreutils-gui
package. As a result, the Automatic Bug Reporting Tool (ABRT) utilities generated a
traceback. With this update, the gnome-python2-gtkhtml2 package is no longer required by
the policycoreutils-gui package, thus the bug is fixed.
B Z #705027
Previously, the sestatus(8) man page missed the description of the " -b" option. This update
corrects the man page so that this option is now described, as expected.
B Z #715021
Previously, polyinstantiated directories had the wrong multilevel secure (MLS) range set for
a user. As a result, the user was not able to create files in the /tmp/ directory, or, under
certain circumstances, to log in. This update fixes the bug by correcting the namespace.init
script.
B Z #734 4 6 7
Previously, the rsync package was not required by any of the policycoreutils packages,
although the " seunshare" command, which is provided by the policycoreutils-sandbox
package, requires the rsync package to work properly. With this update, the rsync package
is now required by the policycoreutils-sandbox package, thus the bug is fixed.
B Z #736 153
Previously, it was possible to change the USER, ROLE, and MLS ranges on an object with
the " restorecon" command even if the " -F" option was not specified. This update fixes the
unintended behavior by disallowing " restorecon" to change the USER, ROLE or MLS
ranges on the object unless the " -F" option is specified.
B Z #739 587, B Z #74 06 6 9
If the " restorecon" command was successful, the return code " 1" was erroneously returned.
This unintended behavior has been fixed with this update so that " restorecon" now returns
the code " 0" , as expected.
B Z #75059 4
If booting with the " SELinux=disabled" option set in the /etc/selinux/config file (but without
specifying the " selinux=0" option at the kernel prompt), dracut output the following error:
dracut: /sbin/load_policy: Can't load policy: No such file or
directory
With this update, dracut no longer outputs this error.
34 7
All users of policycoreutils are advised to upgrade to these updated packages, which fix these bugs.
4 .233.2. RHBA-2012:0134 — policycoreut ils bug fix updat e
Updated policycoreutils packages that fix three bugs are now available for Red Hat Enterprise Linux
6.
The policycoreutils packages contain the core utilities that are required for the basic operation of a
Security-Enhanced Linux (SELinux) system and its policies.
Bug Fixe s
B Z #7856 78
The semanage utility did not produce correct audit messages in the Common Criteria
certified environment. This update modifies semanage so that it now sends correct audit
events when the user is assigned to or removed from a new role.
This update also modifies behavior of semanage concerning the user's SELinux Multi-Level
Security (MLS) and Multi-Category Security (MCS) range. The utility now works with the
user's default range of the MLS/MCS security level instead of the lowest.
In addition, the semange(8) manual page has been corrected to reflect the current
semanage functionality.
B Z #787579
The missing exit(1) function call in the underlying code of the sepolgen-ifgen utility could
cause the restorecond daemon to access already freed memory when retrieving user's
information. This would cause restorecond to terminate unexpectedly with a segmentation
fault. With this update, restorecond has been modified to check the return value of the
getpwuid() function to avoid this situation.
B Z #7876 05
When installing packages on the system in Federal Information Processing Standard
(FIPS) mode, parsing errors could occur and installation failed. This was caused by the
" /usr/lib64/python2.7/site-packages/sepolgen/yacc.py" parser, which used MD 5 checksums
that are not supported in FIPS mode. This update modifies the parser to use SHA-256
checksums and installation process is now successful.
All users of policycoreutils are advised to upgrade to these updated packages, which fix these bugs.
4 .234 . post gresql
4 .234 .1. RHSA-2012:0678 — Moderat e: post gresql and post gresql84 securit y
updat e
Updated postgresql84 and postgresql packages that fix three security issues are now available for
Red Hat Enterprise Linux 5 and 6 respectively.
PostgreSQL is an advanced object-relational database management system (D BMS).
34 8
Secu rit y Fixes
C VE- 2012- 086 8
The pg_dump utility inserted object names literally into comments in the SQL script it
produces. An unprivileged database user could create an object whose name includes a
newline followed by an SQL command. This SQL command might then be executed by a
privileged user during later restore of the backup dump, allowing privilege escalation.
C VE- 2012- 086 7
When configured to do SSL certificate verification, PostgreSQL only checked the first 31
characters of the certificate's Common Name field. D epending on the configuration, this
could allow an attacker to impersonate a server or a client using a certificate from a trusted
Certificate Authority issued for a different name.
C VE- 2012- 086 6
CREATE TRIGGER did not do a permissions check on the trigger function to be called. This
could possibly allow an authenticated database user to call a privileged trigger function on
data of their choosing.
These updated packages upgrade PostgreSQL to version 8.4.11, which fixes these issues as well as
several data-corruption issues and lesser non-security issues. Refer to the PostgreSQL Release
Notes for a full list of changes:
http://www.postgresql.org/docs/8.4/static/release.html
All PostgreSQL users are advised to upgrade to these updated packages, which correct these issues.
If the postgresql service is running, it will be automatically restarted after installing this update.
4 .235. powerpc-ut ils
4 .235.1. RHEA-2011:1562 — powerpc-ut ils bug fix and enhancement updat e
An updated powerpc-utils package that fixes several bugs and adds various enhancements is now
The powerpc-utils package provides various utilities for a PowerPC platform.
The powerpc-utils package has been upgraded to upstream version 1.2.10, which provides a number
of bug fixes and enhancements over the previous version. The powerpc-utils package now provides
the following new features:
B Z #6 9 4 54 1
The page coalescing feature that provides the ability to share identical pages in physical
memory among multiple logical partitions. Identical pages are consolidated into one
shared read-only copy, and expanded into individual copies if an individual partition
change occurs.
B Z #6 32705
The lparstat tool that provides the ability to display various attributes of IBM Power Logical
Partitions, such as CPU and memory entitlement and other similar attributes.
Bug Fixe s
34 9
B Z #6 9 84 33
When removing memory from logical partition (LPAR) in D ynamic Logical Partitioning
(D LPAR), the dynamic memory manager (drmgr) did not set the memory off-line correctly. As
a consequence, the kernel of the LPAR panicked. This update corrects the code so that
drmgr now sets memory off-line properly, and the kernel no longer crashes when removing
memory in D LPAR.
B Z #739 888
The drmgr(8) manual page contained obsolete information that drmgr is a part of the
ppc64-utils suite. This has been corrected, and the manual page now states that drmgr is a
part of the powerpc-utils suite.
B Z #739 9 57
The ofpathname script was not able to convert the Open Firmware device path name to the
logical device name for SAN disks. With this update, ofpathname converts path names to
device names correctly.
All users of powerpc-utils are advised to upgrade to this updated package, which fixes these bugs
4 .236. powert op
4 .236.1. RHBA-2011:1230 — powert op bug fix updat e
An updated powertop package that fixes one bug is now available for Red Hat Enterprise Linux 6.
PowerTOP is a tool to detect all the software components that make a computer consume more than
necessary power when idle. PowerTOP can be used to reduce power usage by running various
commands on the system.
Bug Fix
B Z #6 9 84 22
Previously, PowerTOP did not correctly handle the SIGWINCH signal. As a result,
PowerTOP was terminated unexpectedly if the terminal window, in which PowerTOP was
running, was resized. This update fixes the SIGWINCH signal handling so that PowerTOP
is not unexpectedly terminated if the terminal window is resized.
All PowerTOP users are advised to upgrade to this updated package, which fixes this bug.
4 .237. prelink
4 .237.1. RHEA-2011:1768 — prelink enhancement updat e
An updated prelink package that adds one enhancement is now available for Red Hat Enterprise
Linux 6.
The prelink utility is used to modify ELF shared libraries and executables. It reduces the number of
relocations that need to be resolved at runtime, and thus enables faster start-up.
Enhance m e nt
350
B Z #739 4 6 0
To improve performance on AMD Family 15h processors, the prelink utility has been
adapted to align 32-bit libraries on 32 KB boundaries.
All users of prelink are advised to upgrade to this updated package, which adds this enhancement.
4 .238. procps
4 .238.1. RHBA-2011:1554 — procps bug fix updat e
An updated procps package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
The procps package contains a set of system utilities that provide system information using the /proc
file system. The procps package includes free, pgrep, pkill, pmap, ps, pwdx, skill, slabtop, snice,
sysctl, tload, top, uptime, vmstat, w and watch.
Bug Fixe s
B Z #6 9 239 7
There was a typo in the ps(1) manual page which caused the layout of the page to break.
The typo has been fixed and the ps(1) manual page is now displayed correctly.
B Z #6 9 0078
Incorrectly declared variables may have led to a memory leak or caused the pmap, ps and
vmstat utilities to misbehave. The variables are now nullified and declared in the correct
place, fixing the problem.
B Z #6 9 79 35
Prior to this update, the sysctl utility did not accept partial keys to display all the key pairs
within a certain namespace of the /proc file system. The following error message appeared
when running the " sysctl net.core" command:
" Invalid argument" reading key " net.core"
With this update, the sysctl utility accepts the partial keys and all the keys with the specified
prefix are now displayed.
B Z #709 6 84
Previously, the top utility displayed incorrect values in the SWAP field due to the values of
the per-process swap being incorrectly calculated as a difference between virtual and
physical memory used by a task. The /proc file system provided by kernel is now the main
source of the swap information.
B Z #701710
Previously, the vmstat utility displayed incorrect values of the free page count on 8TB SGI
(Silicon Graphics) systems. The vmstat utility has been modified to display the correct free
page count.
All users of procps are advised to upgrade to this updated package, which fixes these bugs.
4 .239. psacct
351
4 .239.1. RHBA-2012:1051 — psacct bug fix updat e
Updated psacct packages that fix two bugs are now available for Red Hat Enterprise Linux 6
The psacct packages contain utilities for monitoring process activities, including ac, lastcomm,
accton, dump-acct, dump-utmp and sa. The " ac" command displays statistics about how long users
have been logged on. The " lastcomm" command displays information about previously executed
commands. The " accton" command turns process accounting on or off. The " dump-acct" command
transforms the output file from the accton format to a human-readable format. The " dump-utmp"
command prints utmp files in human-readable format. The " sa" command summarizes information
about previously executed commands.
B u g Fixes
B Z #828726
Previously, improper data type detection could have caused an arithmetic overflow. As a
consequence, the dump-acct tool reported incorrect elapsed time values. A patch has been
applied so that correct values are reported with this update.
B Z #834 216
Previously, improper data type conversion caused the dump-utmp tool to report invalid
timestamps. Consequently, mainly on the 64-bit PowerPC architecture, dump-utmp could
have terminated unexpectedly with a segmentation fault. A patch has been applied so that
correct values are reported and no crashes occur with this update.
All users of psacct are advised to upgrade to these updated packages, which fix these bugs.
4 .24 0. pulseaudio
4 .24 0.1. RHBA-2012:1066 — pulseaudio bug fix updat e
Updated pulseaudio packages that fix one bug are now available for Red Hat Enterprise Linux 6
PulseAudio is a sound server for Linux and other Unix-like operating systems.
B u g Fix
B Z #836 138
On certain sound card models by Creative Labs, the S/PD IF Optical Raw output was
enabled on boot regardless of the previous settings. This caused the audio output on the
analog duplex output to be disabled. With this update, the S/PD IF Optical Raw output is
disabled on boot so that the analog output works as expected.
All users of pulseaudio are advised to upgrade to these updated packages, which fix this bug.
4 .24 1. pykickst art
4 .24 1.1. RHBA-2011:1682 — pykickst art bug fix updat e
An updated pykickstart package that fixes a bug is now available for Red Hat Enterprise Linux 6.
352
The pykickstart package contains a python library for manipulating kickstart files.
Bug Fix
B Z #6 56 278
When validating the syntax of a kickstart file in certain locales, the ksvalidator tool
terminated with a traceback if the kickstart file contained any deprecated syntax. This has
been fixed: ksvalidator terminates no longer and prints a warning message that the
kickstart file contains a deprecated syntax.
All users of pykickstart are advised to upgrade to this updated package, which resolves this bug.
4 .24 2. pypart ed
4 .24 2.1. RHBA-2011:164 1 — pypart ed bug fix updat e
An updated pyparted package that fixes a bug is now available for Red Hat Enterprise Linux 6.
The pyparted package contains Python bindings for the libparted library. It is primarily used by the
Red Hat Enterprise Linux installation software.
Bug Fix
B Z #725558
D ue to a missing flag in the GPT (Guid Partition Table) disklabel, the anaconda installer
terminated with a traceback during the installation of Red Hat Enterprise Linux 6.2. With this
update, support for the PARTITION_LEGACY_BOOT flag has been added to the pyparted
package, thus fixing this bug.
Users of pyparted are advised to upgrade to this updated package, which fixes this bug.
4 .24 3. pyt hon
4 .24 3.1. RHBA-2011:1564 — pyt hon bug fix and enhancement updat e
Updated python packages that fix several bugs and add an enhancement are now available for Red
Python is an interpreted, interactive, object-oriented programming language.
Bug Fixe s
B Z #6 9 74 70
The Python standard library contains numerous APIs that handle the uid_t and gid_t
attributes, which contain unsigned 32-bit values. Previously, the existing code often
passed the values as C language long values, which are signed 32-bit values on 32-bit
architectures. Consequently, negative integer objects occurred when a uid_t/gid_t value
was equal or larger than 2^31 on 32-bit architectures. With this update, the standard library
353
has been updated throughout to accept the full range of uid_t/gid_t values (0 through
2^32-1), using " int" objects for small values, but using " long" objects where needed to
avoid integer overflow. As a special case, " -1" is also supported, as this value has special
meaning for the os.chown() function and other related functions.
B Z #713082
Previously, the multiprocessing module used the " select" system call to communicate with
subprocesses, limiting the number of file descriptors to the value of the FD _SETSIZ E
variable (1024). With this update, the multiprocessing module has been ported to use the
" poll" system call, instead of " select" , thus fixing this bug.
B Z #6 85234
Previously, a race condition sometimes caused the forking.Popen.poll() method of the
multiprocessing module to terminate with the " OSError: [Errno 10] No child processes" error
message when starting subprocesses. This bug has been fixed and the crashes no longer
B Z #6 89 79 4
Previously, the getpass.getpass() method discarded Ctrl-C and Ctrl-Z input, requiring the
user to press Ctrl-D to exit the password entry prompt and then returning traceback error
messages. With this update, the described user input is processed properly by the
getpass.getpass() method.
B Z #6 9 9 74 0
D ue to a bug, the readline.get_history_length() and readline.get_history_item() methods
leaked memory when executed. This bug has been fixed and no longer occurs.
B Z #72736 4
When building the C extension modules, if a value for the CFLAGS variable is defined in the
environment, it is appended to the compilation flags from Python's Makefile. D ue to a bug,
only flags stored in the OPT variable were supplied from the Makefile. Consequently, the " fno-strict-aliasing" flag was missing and build errors occurred. This bug has been fixed,
CFLAGS are properly appended to the original Python build string, and no build errors are
now returned in the described scenario.
B Z #6 6 74 31
When feeding data to the standard input of short-lived processes, the
subprocess.Popen.communicate() method sometimes terminated with the " OSError: [Errno
32] Broken pipe" error message. This bug has been fixed and the crashes no longer occur
in the described scenario.
Enhance m e nt
B Z #711818
The gdb (GNU D ebugger) Python hooks for debugging Python itself (via the pythondebuginfo package) have been enhanced. The hooks now report if a thread is waiting on a
lock, such as the GIL (Global Interpreter Lock), and call to appropriate C functions,
methods, and garbage collections. In addition, the hooks have been optimized to provide
at least file and function names, when line numbers and locals are not available.
All users of python are advised to upgrade to these updated packages, which fix these bugs and add
this enhancement.
354
4 .24 3.2. RHSA-2012:074 4 — Moderat e: pyt hon securit y updat e
Updated python packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 6.
Python is an interpreted, interactive, object-oriented programming language.
Secu rit y Fixes
C VE- 2012- 1150
A denial of service flaw was found in the implementation of associative arrays (dictionaries)
in Python. An attacker able to supply a large number of inputs to a Python application
(such as HTTP POST request parameters sent to a web application) that are used as keys
when inserting data into an array could trigger multiple hash function collisions, making
array operations take an excessive amount of CPU time. To mitigate this issue,
randomization has been added to the hash function to reduce the chance of an attacker
successfully causing intentional collisions. ()
Note
The hash randomization is not enabled by default as it may break applications that
incorrectly depend on dictionary ordering. To enable the protection, the new
" PYTHONHASHSEED " environment variable or the Python interpreter's " -R"
command line option can be used. Refer to the python(1) manual page for details.
The RHSA-2012:0731 expat erratum must be installed with this update, which adds hash
randomization to the Expat library used by the Python pyexpat module.
C VE- 2012- 084 5
A flaw was found in the way the Python SimpleXMLRPCServer module handled clients
disconnecting prematurely. A remote attacker could use this flaw to cause excessive CPU
consumption on a server using SimpleXMLRPCServer.
C VE- 2011- 4 9 4 0
A flaw was found in the way the Python SimpleHTTPServer module generated directory
listings. An attacker able to upload a file with a specially-crafted name to a server could
possibly perform a cross-site scripting (XSS) attack against victims visiting a listing page
generated by SimpleHTTPServer, for a directory containing the crafted file (if the victims
were using certain web browsers).
C VE- 2011- 4 9 4 4
A race condition was found in the way the Python distutils module set file permissions
during the creation of the .pypirc file. If a local user had access to the home directory of
another user who is running distutils, they could use this flaw to gain access to that user's
.pypirc file, which can contain usernames and passwords for code repositories.
Red Hat would like to thank oCERT for reporting CVE-2012-1150. oCERT acknowledges Julian
Wälde and Alexander Klink as the original reporters of CVE-2012-1150.
355
All Python users should upgrade to these updated packages, which contain backported patches to
correct these issues.
4 .24 4 . pyt hon-dmidecode
4 .24 4 .1. RHBA-2011:1589 — pyt hon-dmidecode bug fix updat e
An updated python-dmidecode package that fixes various bugs is now available for Red Hat
Enterprise Linux 6.
The python-dmidecode package provides a python extension module that uses the code-base of the
dmidecode utility and presents the data as python data structures or as XML data using the libxml2
library.
The python-dmidecode package has been upgraded to upstream version 3.10.13, which provides a
number of bug fixes over the previous version. (BZ #621567)
B u g Fixes
B Z #6 279 01
When trying to identify the processor type by performing a string comparison, Python
terminated with a segmentation fault. This was caused by D MI tables which did not report
the CPU processor information as a string and returned a NULL value instead. This update
adds additional checks for NULL values before doing the string comparison.
B Z #6 4 6 4 29
Previously, when calling the memcpy() function on the IBM System z machine which was
under heavy memory load, a SIGILL signal was triggered. As a consequence, the complete
Python interpreter core dumped. A signal handler was added to properly handle heavy
memory loads.
B Z #6 6 736 3
Prior to this update, when running the rhn_register utility, providing a valid user name and
password, and clicking the Forward button, the tool terminated unexpectedly with a
segmentation fault. This was caused by the dmi_processor_id() function not checking
whether the version pointer was NULL. This update adds additional checks for NULL
values, fixing the problem.
All users of python-dmidecode are advised to upgrade to this updated package, which resolves
these bugs.
4 .24 5. pyt hon-meh
4 .24 5.1. RHBA-2011:1763 — pyt hon-meh bug fix updat e
An updated python-meh package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The python-meh package provides a python library for handling exceptions.
Bug Fixe s
B Z #728871
356
Prior to this update, bug reports filed with python-meh were missing information. With this
update, these bug reports now include more useful information on system architecture and
versions of packages related to the bug.
B Z #7309 24
Prior to this update, the report packages which python-meh depended on were named
" report-gtk" and " report-newt" . The packages have been renamed " libreport-gtk" and
" libreport-newt" . This update changes the python-meh spec file to require these new report
packages.
All users of python-meh are advised to upgrade to this updated package, which fixes these bugs.
4 .24 6. pyt hon-net addr
4 .24 6.1. RHBA-2011:1658 — pyt hon-net addr bug fix updat e
An updated python-netaddr package that fixes a bug is now available for Red Hat Enterprise Linux 6.
The python-netaddr package provides a network address representation and manipulation library
for Python. The netaddr library allows Python applications to work with IPv4 and IPv6 addresses,
subnetworks, non-aligned IP address ranges and sets, MAC addresses, Organizationally Unique
Identifiers (OUI), Individual Address Blocks (IAB), and IEEE EUI-64 identifiers.
Bug Fix
B Z #710373
Prior to this update, if an IPNetwork object was instantiated with bad data, the pythonnetaddr code tried to access an unbound local variable and the erroneous exception
" UnboundLocalError" was raised. It should raise the AddrFormatError exception instead.
Consequently a user of python-netaddr had to check for all exceptions instead of just
" netaddr.core.AddrFormatError" . With this update the code is corrected and functions as
expected in the scenario described.
All users of python-netaddr are advised to upgrade to this updated package, which fixes this bug.
4 .24 7. pyt hon-psycopg2
4 .24 7.1. RHBA-2012:014 5 — pyt hon-psycopg2 bug fix and enhancement
updat e
An updated python-psycopg2 package that fixes multiple bugs and adds multiple enhancements is
The python-psycopg2 package provides a PostgreSQL database adapter for the Python
programming language.
The python-psycopg2 package has been upgraded to upstream version 2.0.14, which provides a
number of bug fixes and enhancements over the previous version, including the fix for a memory leak
in cursor handling. This update also ensures better compatibility with the PostgreSQL objectrelational database management system version 8.4. (BZ #787164)
All users of python-psycopg2 are advised to upgrade to this updated package, which fixes these
357
4 .24 8. pyt hon-qpid
4 .24 8.1. RHBA-2011:1666 — pyt hon-qpid bug fix updat e
An updated python-qpid package is now available for Red Hat Enterprise Linux 6.
The python-qpid package provides a python client library for the Apache Qpid implementation of the
Advanced Message Queuing Protocol (AMQP).
The python-qpid package has been upgraded to upstream version 0.12. (BZ #706993)
Users of python-qpid are advised to upgrade to this updated package.
4 .24 9. pyt hon-rhsm
4 .24 9.1. RHBA-2011:1696 — pyt hon-rhsm bug fix updat e
An updated python-rhsm package that fixes multiple bugs is now available for Red Hat Enterprise
Linux 6.
The python-rhsm package contains a small library for communicating with the representational state
transfer (REST) interface of a Red Hat Unified Entitlement Platform. This interface is used for the
management of system entitlements, certificates, and access to content.
Bug Fixe s
B Z #7006 01
Prior to this update, the firstboot utility was trying to set an erroneous environment variable
LANG=us. As a result, firstboot was unable to start properly. With this update, the C locale is
now used as the fallback locale so that the problem does not occur anymore.
B Z #719 378
If a user name containing a white space was submitted during the registration process in
the Subscription Manager, an incorrect error message was displayed. This problem has
been fixed in this update so that the correct error message " Invalid credentials" is now
displayed.
B Z #72826 6
If a subscription was selected in the My Subscriptions tab in the Subscription Manager,
and then the Unsubscribe button was pressed, an error occurred. With this update, the
problem has been fixed so that the unsubscribe function in the Subscription Manager now
works, as expected.
B Z #736 16 6
The /etc/rhsm/ca/candlepin-stage.pem, /etc/rhsm/ca/fakamai-cp1.pem, and
/etc/rhsm/ca/redhat-uep.pem certificates have been moved to the updated python-rhsm
package so that it is now possible for python-rhsm to register with the hosted Candlepin
system.
B Z #74 6 24 1
358
If the rhsmcertd daemon received information about an existing update, but no products
were installed, an exception occurred. Also, if the virt-who agent attempted to update the
guest systems of a host, but there were no guest systems available, an exception occurred.
All users of python-rhsm are advised to upgrade to this updated package, which fixes these bugs.
4 .250. pyt hon-slip
4 .250.1. RHBA-2012:04 13 — pyt hon-slip bug fix updat e
Updated python-slip packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The Simple Library for Python (SLIP) packages contain miscellaneous code for convenience,
extension and workaround purposes.
The python-slip packages have been upgraded to upstream version 0.2.20, which provides a
number of bug fixes over the previous version. In addition, this update fixes a bug causing previous
versions of python-slip to incorrectly determine whether SELinux was enabled or not. Therefore,
convenience functions for writing files always attempted to set SELinux labels even if SELinux was
disabled. This could cause for example the system-config-date tool to fail to change settings.
(BZ #796323)
All users of python-slip are advised to upgrade to these updated packages, which fix this bug.
4 .251. pyt hon-sqlalchemy
4 .251.1. RHSA-2012:0369 — Moderat e: pyt hon-sqlalchemy securit y updat e
An updated python-sqlalchemy package that fixes one security issue is now available for Red Hat
Enterprise Linux 6.
SQLAlchemy is an Object Relational Mapper (ORM) that provides a flexible, high-level interface to
SQL databases.
Secu rit y Fix
C VE- 2012- 0805
It was discovered that SQLAlchemy did not sanitize values for the limit and offset keywords
for SQL select statements. If an application using SQLAlchemy accepted values for these
keywords, and did not filter or sanitize them before passing them to SQLAlchemy, it could
allow an attacker to perform an SQL injection attack against the application.
All users of python-sqlalchemy are advised to upgrade to this updated package, which contains a
patch to correct this issue. All running applications using SQLAlchemy must be restarted for this
4 .252. pyt hon-virt inst
4 .252.1. RHBA-2011:164 3 — pyt hon-virt inst bug fix and enhancement updat e
359
An updated python-virtinst package that fixes several bugs and adds various enhancements is now
The python-virtinst package provides a Python module that helps build and install libvirt-based
virtual machines.
The python-virtinst package has been upgraded to upstream version 0.600.0, which provides a
number of bug fixes and enhancements over the previous version. In particular, this update fixes the
following bugs:
B Z #6 84 786
Prior to this update, optimal cache and asynchronous I/O defaults were applied when a
virtual machine was created, but not when a new device was added to an existing guest.
This negatively affected the performance of such devices. With this update, the underlying
source code has been corrected to apply the optimized defaults to new disks for existing
guests as well.
B Z #6 9 6 9 6 9
The virtinst module for Python often called the ifconfig program unnecessarily when
parsing a domain XML file. Consequent to this, if a domain contained many " direct" network
interfaces, the virt-manager application responded so slowly that it could not be used
properly. This update removes the redundant ifconfig calls from the code, and virt-manager
now works well even with a large number of " direct" network interfaces.
B Z #6 9 779 8
When using the virt-install utility, an attempt to use the " --location" (or " -l" ) command line
option to specify an ISO image file rendered the guest unable to find this image during
installation. This update corrects the underlying source code to make sure such guests can
now find the ISO image as expected.
B Z #6 9 8085
When the user attempted to use the virt-install utility to specify a static SELinux label, the
utility failed to create correct guest configuration and the static SELinux label did not take
effect for this guest. This update ensures that virt-install now generates correct
configuration so that the static labels can be set as expected.
B Z #7279 86
When the user attempted to run the virt-install command with a mixed-case value of the " -cpu" option, the previous version of the virt-install utility failed with an error, because it
automatically converted values passed on the command line to lower case. This update
corrects the utility to preserve the case of command line arguments, and the " virt-install -cpu" command can now be run with a mixed-case value as expected.
B Z #74 2736
D ue to the virt-install utility not specifying any clock policy for Windows guests, the time on
the guest could skew from the time on the host. To prevent this, this update adapts the virtinstall utility to specify the tickpolicy " catchup" .
Enhance m e nt s
B Z #6 9 1304
360
A new " --disk device=cdrom" command line option is now supported by the virt-install
utility. This option allows the user to specify a CD -ROM or diskette drive without inserted
media.
B Z #6 9 1331
A new " --numatune" command line option is now supported by the virt-install utility. This
option allows the user to specify the Non-Uniform Memory Access (NUMA) nodes for
memory pinning.
B Z #6 9 3876
The virt-install utility can now be used to create Linux container guests. This includes
application containers and full OS containers. Note that no tool is provided for creating an
OS directory tree and users must build this tree manually.
All users of python-virtinst are advised to upgrade to this updated package, which fixes these bugs
4 .253. qemu-kvm
4 .253.1. RHSA-2011:1531 — Moderat e: qemu-kvm securit y bug fix and
enhancement updat e
Updated qemu-kvm packages that fix one security issue, multiple bugs, and add various
KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD 64 and Intel 64
systems that is built into the standard Red Hat Enterprise Linux kernel. The qemu-kvm packages form
the user-space component for running virtual machines using KVM.
Secu rit y Fix
C VE- 2011- 2527
It was found that qemu-kvm did not properly drop supplemental group privileges when the
root user started guests from the command line (" /usr/libexec/qemu-kvm" ) with the " -runas"
option. A qemu-kvm process started this way could use this flaw to gain access to files on
the host that are accessible to the supplementary groups and not accessible to the primary
group.
Note
This issue only affected qemu-kvm when it was started directly from the command
line. It did not affect the Red Hat Enterprise Virtualization platform or applications
that start qemu-kvm via libvirt, such as the Virtual Machine Manager (virt-manager).
B u g Fixes
B Z #6 9 9 6 35
361
When the " virsh dump" command was executed with the " --live" option, the subsequent
" virsh dump" command for the same domain could misbehave. This was caused by a
function trying to deallocate memory that had already been freed. To avoid this issue, the
log field of the vhost device structure is now set to NULL after it has been passed to a
deallocating routine. Running the " virsh dump" command repeatedly no longer leads to
non-standard behavior, and the core dump of a guest is now collected.
B Z #6 9 74 4 1
Previously, SPICE (the Simple Protocol for Independent Computing Environments) sent the
QMP events from the SPICE worker thread context unlocked. As a consequence, memory
corruption occurred in certain cases. Global QEMU lock is now taken before the QMP
events are sent, which fixes the problem.
B Z #6 9 04 27
When the user installed a previous version of Windows QXL driver without the off-screen
support over a new driver, the virtual machine terminated unexpectedly when the user
attempted to switch to graphics mode. With this update, the update_area_surface variable is
nullified on the reset of the QXL device, and virtual machines successfully load with a
previous version of the driver.
B Z #711213
Previously, the NFS (Network File System) request for the direct vectored I/O operation
resulted in splitting a single I/O request into multiple requests. This had a significant impact
on performance. QEMU has been modified to detect files that exist in NFS when a request
for vectored I/O operation comes to the server. The QEMU_AIO_MISALIGNED flag is now
used to force such requests to be handled with a linear buffer.
B Z #7209 72
The Broadcom Corporation NetXtreme BCM5761 Gigabit Ethernet PCIe network controller
provides a PCI-Express Cap structure that is 8 bytes shorter than it should be according to
the PCI-Express 2.0 specification. This resulted in memory corruption when it was allocated
for device assignment. The code has been modified to accept the reduced size of the
structure. BCM5761 can now be successfully re-assigned.
B Z #721114
Prior to this update, the savevm file was not flushed to disk properly. Restoring a virtual
machine failed in certain cases due to the savevm file being incomplete. The fsync() call
has been added to flush the data to disk, which fixes the problem.
B Z #730587
The qemu-img tool tried to keep sparseness even on very small areas, issuing small write
requests. As a consequence, executing the " qemu-img convert" command took a long time
for certain images. The qemu-img tool now requires larger zero areas to keep sparseness.
Too small write requests are now avoided, and the " qemu-img convert" command converts
images in a reasonable time.
B Z #7289 05
If the " none" cache option was selected, all the writes to the destination were very small. To
improve the performance of qemu-img, the tool has been modified to use larger buffers so
that the writes to the destination are larger.
B Z #7186 6 4
362
Previously, migration of floppy images failed if the user migrated an image from a newer
version of qemu-kvm to an older version, because qemu-kvm met a subsection it did not
recognize. In order to keep the migration compatibility, qemu-kvm now accepts the
subsections it does not recognize. As a result, migration of floppy images between any
versions of qemu-kvm is successful.
B Z #733010
When canceling a USB packet, the usb-storage emulation tried to cancel the corresponding
SCSI (Small Computer Systems Interface) request without checking whether one existed. A
NULL pointer dereference caused QEMU to terminate with a segmentation fault. Checks are
now performed to determine the presence of the SCSI request. Non-existing requests are not
referenced any more.
B Z #7284 6 4
If the user started QEMU with the " -no-shutdown" option, asking QEMU not to quit after the
guest shutdown, the flag was overlooked after the first shutdown of the guest. QEMU has
been modified to accept the option after repetitive shutdowns. QEMU no longer quits if this
option is supplied.
B Z #707130
When KVM guests were launched with the " -device isa-serial" option instead of the " -serial"
option, serial devices created were not visible by Windows guests. This was due to QEMU
not exposing these devices in the guests' Advanced Configuration and Power Interface
(ACPI) tables. With this update, the guest's ACPI D ifferentiated System D escription Table
(D SD T) now properly determines the presence of serial devices, and Windows guests can
now see them properly.
B Z #6 9 4 378
Previously, invalid balloon values, for example 0, caused QEMU to terminate. With this
update, input is validated, and QEMU does not terminate if invalid input occurs.
B Z #6 76 528
Previously, the tray got locked if the user ejected a medium forcibly, by executing the " eject f" command. As a consequence, the user was unable to insert new media afterward. QEMU
has been modified to leave the tray open so that users can insert new media as expected.
B Z #6 24 9 83
Previously, QEMU did not support the new set of Model Specific Registers (MSR), and
guests that used only the new set were therefore not able to use kvmclock. The new MSR set
is now supported, and all guests are now able to use kvmclock.
B Z #7379 21
Previously, a SPICE client connected to the migration target only if the migration was
completed. However, the ticket on the target was set before the migration started. If the time
of the migration was longer that the time for which the ticket expired, the SPICE client failed
to connect to the target and terminated. The SPICE server now informs the SPICE client to
connect to the target before the migration starts. The SPICE server waits until the client
performs the initial connection, and then calls the completion callback of the
" client_migrate_info" command. Now, the SPICE client connects to the migration target after
the migration.
B Z #71034 9
363
Previously, specifying serial numbers for virtio block devices did not work as expected.
Patches have been applied to address this issue; virtio block disks are now correctly
identified by guests and can be found in the /dev/disk/by-id/ directory.
B Z #73856 5
A bug in KVM's Non-Maskable Interrupt (NMI) delivery mechanism caused kernel dumps not
to be taken on SMP guests. The bug has been fixed, and kernel dumps are now
successfully captured on SMP guests.
B Z #706 711
Suspending a Windows virtual machine with the running QXL driver caused the machine to
terminate on resume. This update implements related I/O calls, and handling specific for S3
adapters in the driver (note that the future QXL driver is required). A Windows virtual
machine with the running QXL driver can now be correctly suspended and resumed.
B Z #700134
Prior to this update, the QXL driver submitted requests to the SPICE server thread and
waited synchronously for the result. This, in certain cases, caused qemu-kvm to be
unresponsive for a long time. With this update, completion notification is used instead of
waiting. SPICE server thread processes the requests asynchronously, and qemu-kvm no
longer hangs.
B Z #74 24 84
Previously, drives with removable media were ignored when creating snapshots. As a
consequence, reverting to a certain snapshot did not revert writes to floppy disks. A patch
has been applied to ensure that only read-only drives with read-only or empty media are
ignored. Snapshotting now treats writable floppy disks like any other writable drive.
B Z #74 24 80
Previously, if the guest applied the " eject" command with the " -i" parameter to lock an open
tray, the guest was afterward not able to close the tray by running the " eject -t" command. A
patch has been applied to address this issue so that guests can successfully close open
trays, even if they are locked.
B Z #6 9 4 373
When specifying a negative balloon value, the value was recognized by the code as a very
high positive value. As a consequence, the RAM the guest was started with, increased to its
maximum. With this update, QEMU now checks for negative values, and reports them as an
error.
B Z #74 24 76
Previously, the " eject -f" monitor command worked even for non-removable drives. If the
user used the command for such drives, the drive could not be used by the guest. Users
could incorrectly interpret the problem as a hardware failure. A patch has been applied to
address this issue, and qemu-kvm refuses to eject non-removable drives.
B Z #74 24 6 9
Previously, the CD -ROM drive prevented the guest from locking an empty tray. With this
update, qemu-kvm has been modified so that guests are allowed to lock empty drives
regardless of whether a medium is present in the drive or not.
B Z #6 81736
364
Previously, after a virtio-serial port was unplugged, all the communication from the guest to
the host, for all other ports on the virtio-serial device, was stopped. This was because the
back ends of the ports on the device were incorrectly marked as NULL. With this update, the
back ends of the device are checked per-port.
B Z #6 78729
When performing a device assignment of a PCI(e) PF (Physical Function) or VF (Virtual
Function) device with an invalid host PCI configuration address, such as 0Z :88.00, to a
KVM guest, the guest terminated with a core dump. With this update, the value of the B:D .F
fields of an assigned device are now checked to ensure that they are in the proper ranges.
When performing a device assignment of a PCI(e) PF or VF device with an invalid host PCI
configuration address, QEMU displays an error message and the device terminates
correctly.
B Z #7256 25
Previously, it was possible to expose multiple balloon devices to the guest. As a
consequence, QEMU could misbehave if various balloon devices were given different
commands. With this update, only one balloon device is allowed to be exposed to the
guest. Now, QEMU works correctly.
B Z #739 4 80
D ue to wrong initialization order for some data structures, migration could fail in rare
cases, and the instance of QEMU on the receiving host would terminate with a segmentation
fault. The initialization code is fixed with this update, and QEMU no longer crashes.
B Z #6 3229 9
Constant polling of a device (such as a USB tablet) in the USB emulation consumed an
excessive amount of CPU time. The remote wake up support has been added, which allows
the guest's power management to suspend the USB devices and wait for the wake up
notification. USB polling can now be stopped, and the CPU utilization on the host is
therefore reduced.
B Z #720535
If the character device on the host side was connected to a virtio-serial port, and was
closed just before the guest sent data, QEMU terminated unexpectedly. With this update, 0
is used as the return value of the write operation, and indicates that nothing was written to
the character device.
B Z #734 86 0
Previously, the missing NULL check caused qemu-kvm to terminate unexpectedly shortly
after the start if a socket character device was missing the host parameter. This update
adds the missing NULL check. Now, if the device is missing the host parameter, qemu-kvm
terminates with an appropriate error message.
B Z #736 9 75
Prior to this update, qemu-kvm failed to unregister balloon devices when hot unplugging
the device. As a consequence, the user was not able to hot plug a balloon device after he
had hot unplugged the previous one. With this update, qemu-kvm is modified to correctly
unregister the balloon device from the balloon core in QEMU. Now, balloon devices can be
added and removed successfully.
B Z #6 55719
365
Previously, the " change" monitor command did not return any error information if opening
a file failed. When the user attempted to execute the " change" command to change or insert
a non-existent file into the CD -ROM drive of a virtual machine, an " undefined error" or no
error message would be reported. With this update, the " change" command correctly
returns error information so that the user is properly informed.
B Z #6 584 6 7
Every time the user executed the " savevm" command, qemu-kvm queried the value of
kvmclock even if the virtual machine had been stopped. As a consequence, the stability of
migration results could be broken. This update introduces a new kvmclock device, and
qemu-kvm queries kvmclock only if the valid flag is set. Now, kvmclock is stable for the
migration unit-test.
B Z #6 4 5351
Previously, QEMU did not support the USB 2.0 EHCI (Extended Host Controller Interface)
devices. It was therefore impossible to use such devices in guests. This update adds
support for the USB 2.0 EHCI emulation, so that users can use USB 2.0 devices.
B Z #5839 22
The RTL8139 network interface controller (NIC) emulated by qemu-kvm did not support IEEE
802.1Q-tagged frames. Guests which used 802.1Q tagged virtual LAN (VLAN) were not able
to communicate with each other as a consequence. This update adds support for 802.1Q.
Now, guests can use the 802.1Q VLAN protocol with RTL8139.
B Z #7289 84
When a QXL device is initialized, it ensures that its corresponding command rings are
empty. After migration, before a virtual machine is started, and when the QXL device is
initialized, the command rings should not be empty. Prior to this update, the command ring
was not empty and QEMU terminated with an assertion. With this update, QEMU is modified
to ensure that the rings are empty only if the virtual machine is not stopped. Now, QEMU no
longer terminates in the scenario described.
B Z #729 29 4
Previously, the state of the keyboard LED lights was not kept during migration. When
migrating a guest with, for example, Caps Lock or Num Lock turned on, the lights were
turned off after the guest had been migrated, even when the function was still active. This
update adds the state of the keyboard LED lights to the qemu state which is kept during
migrations. As a result, the state of the keyboard LED lights is kept.
B Z #729 6 21
Pausing all virtual CPUs was previously done by means of a specially registered handler in
the vkm_vm_state_change_handler list. D uring migration, the source virtual machine that
was stopped received an I/O exit after it's state change handler had been called, but before
the virtual CPUs were paused. This resulted in an assertion and a termination of the virtual
machine. With this update, the virtual CPU is paused after (or resumed before) all handlers
are called. Migrations now proceed and finish as expected.
B Z #7259 6 5
D uring migration, the SPICE server on the target virtual machine started with the guest
agent disconnected, and was not notified when the agent was connected. After the
migration had been completed, the mouse on the client side was no longer available and
the function of copying and pasting did not work. With this update, the guest_open()
366
callback function is called at the migration target. Now, the mouse and the function of
copying and pasting work as expected in the scenario described.
B Z #7339 9 3
Previously, the SPICE server could be started even if the ssd.running property was set to
false. As a consequence, the migration target terminated unexpectedly with an assertion
after the migration had been completed. To fix this problem, the ssd.running property is now
set to true before the SPICE server is started.
B Z #735716
Previously, the qemu utility could be terminated by another process. The virtual machine
terminated and the user was alerted. However, the event was never logged, and the user
was therefore not able to determine what process caused qemu to terminate. Now, such
information is logged for troubleshooting purposes.
B Z #723270
Previously, management applications were not able to determine whether the tray was open
or closed. It could therefore be difficult for such applications to change media for the guest
at the right time. With this update, the " info block" monitor command is extended to display
the status of the tray. Management applications can now poll the command to see when the
tray opens and closes.
B Z #74 4 780
In rare cases, QEMU used a SCSI request after its memory had been freed. As a
consequence, QEMU terminated unexpectedly with a segmentation fault. To fix this problem,
SCSI requests are used by QEMU as a part of emulation of USB mass storage devices.
B Z #74 054 7
Previously, the QXL memory slots were not created after migration if the migration started in
VGA mode, and the guest was actually a native guest temporarily in VGA mode. After the
migration had been completed, qemu-kvm terminated when the user switched from VGA
mode back to native mode. With this update, all active memory slots are recreated during
migration in VGA mode. Switching back to native mode is now successful after migration.
B Z #714 773
D ue to a missing probe marker for the qemu.kvm.qemu_vmalloc probe point, it was not
possible to use " probe qemu.kvm.qemu_vmalloc" on a SystemTap script. The marker has
been added to the qemu_vmalloc() function, so that now it is possible to use " probe
qemu.kvm.qemu_vmalloc" on a SystemTap script
B Z #71004 6
Previously, qemu-kvm printed an unnecessary warning about the CPU model used. This
message has been removed with this update.
B Z #705070
Previously, users were not able to take screenshots of secondary QXL displays. This
update introduces a new monitor command to fix the problem.
B Z #74 326 9
367
Hot unplugging a snapshot block device could cause future snapshot operations to
misbehave or terminate unexpectedly. A patch has been applied to address this issue, and
hot unplugging block devices no longer endangers future snapshot operations.
B Z #74 334 2
Previously, the state of the CD -ROM tray was not migrated and got lost. The tray was
instead closed and locked during the migration. This problem has been fixed and the state
of the tray is migrated correctly.
B Z #7014 4 2
Previously, the vm_running variable was not explicitly initialized, and its values were only
set by the state change notifier. This could confuse the virtio devices which were being hot
plugged, such as virtio-net with the vhost back end. These could assume that the virtual
machine was not running. As a consequence, vhost-net was not started after the virtio-net
devices were hot plugged. The vm_running variable is now initialized explicitly during the
virtio_common_init() call. The vhost-net devices are started, if required, after the virtio-net
devices have been hot plugged.
B Z #7384 87
Previously, when shutting down qemu-kvm due to the SIGTERM request, qemu-kvm did not
terminate if " -no-shutdown" option was used. The SIGTERM request could not be properly
used to terminate qemu-kvm, and libvirt was therefore forced to send the SIGKILL signal,
which could in certain cases cause disk corruption. The source code has been modified, so
that the SIGTERM signal can now be used to terminate qemu-kvm even if " -no-shutdown" is
used. This prevents disks from being corrupted due to the SIGKILL signal being sent.
B Z #6 6 9 581
Prior to this update, functions in the migration code did not handle and report errors
correctly. As a consequence, migration never ended if connection to the destination
migration port was rejected (for example by a firewall). This update includes multiple fixes of
error detection, reporting, and handling of errors in the migration code. Now, handling of
errors during migration is more reliable; for example if the connection to the destination
migration port is rejected, this is properly detected and migration is aborted.
B Z #715017
Previously, QEMU did not provide any mechanism to report read and write latency of a
block device. The management system was therefore not able to report what the average
latency for block devices of virtual machines was. This update implements a mechanism so
that qemu-kvm reports disk latency statistics by executing the " info blockstats" command.
B Z #7109 4 3
With this update, the event index feature is now supported by the Red Hat Enterprise Linux
6.2 guests. This reduces CPU utilization per megabyte for most workloads. The feature is
turned on by default, and can be disabled in libvirt's XML configuration.
B Z #700859
Prior to this update, the memory API was used incorrectly. As a consequence, a hot
plugged virtio-net device with vhost enabled became unresponsive after the guest had been
paused. This problem has been fixed, and if the guest is paused, the hot plugged device
works as expected.
B Z #738555
368
Nested virtualization is not supported by qemu-kvm. This update therefore removes the " enable-nested" option.
B Z #72386 4
With this update, emulation of the following USB devices is disabled: usb-wacom-tablet
(usb-tablet can be used instead), usb-braille, usb-serial, usb-net, and usb-bt-dongle.
En h an cemen t s
B Z #716 9 06
A new QEMU machine type, Red Hat Enterprise Linux 6.2, has been added with this update.
This type is now used by default. If live migration compatibility with previous Red Hat
Enterprise Linux hosts is required, users can choose the Red Hat Enterprise Linux 6.1 or
Red Hat Enterprise Linux 6.0 machine types instead.
B Z #6 84 9 4 9
Prior to this update, qemu-kvm was not able to display BIOS messages on boot of the
virtual machine. With this update, sgabios support has been added to qemu-kvm, and a
requirement to the new sgabios RPM package has been added as well. Now, qemu-kvm is
able to use sgabios to print BIOS messages to a virtual serial device, if configured to do so.
B Z #71374 3
The qemu-img tool was writing disk images using writeback and filling up the cache buffers
which were then flushed by the kernel. This prevented other processes from accessing the
storage. In cluster environment, accessing the storage within certain timeouts could be
critical. This update adds an option to choose a cache method when writing disk images.
Users that require other cache methods can now choose the cache method on the
command line when using qemu-img.
B Z #725054
The warning message about the ability to run qemu-kvm directly has been modified to be
more clear.
B Z #6 214 82
Previously, the qemu-img tool did not provide information about the completion percentage.
This update introduces the new " -p" option for qemu-img which displays progress
information while running.
B Z #6 9 6 102
When resetting error physical memory pages (marked as HWPoison) of a guest, the guest
tried to reuse the memory pages after reboot. As a consequence, in certain cases, the guest
terminated unexpectedly, and could terminate repeatedly after multiple reboots. With this
update, memory marked as HWPoison is unmapped so that is cannot be reused. After
reboot, the guest can access new memory pages which are not marked as HWPoison.
B Z #6 9 36 4 5
Newer versions of the SPICE client and agent allow users to copy and paste from the client
to the guest. However, this is not desirable in all environments. This update introduces a
new option, " disable-copy-paste" which allows users to turn off the copy and paste support
for the virtual machine which is being started.
369
Users of qemu-kvm are advised to upgrade to these updated packages, which contain backported
patches to correct these issues and add these enhancements. After installing this update, shut down
all running virtual machines. Once all virtual machines have shut down, start them again for this
4 .253.2. RHSA-2011:1777 — Import ant : qemu-kvm securit y updat e
Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise
Linux 6.
systems. qemu-kvm is the user-space component for running virtual machines using KVM.
Secu rit y Fix
C VE- 2011- 4 111
A flaw was found in the way qemu-kvm handled VSC_ATR messages when a guest was
configured for a CCID (Chip/Smart Card Interface D evices) USB smart card reader in
passthrough mode. An attacker able to connect to the port on the host being used for such
a device could use this flaw to crash the qemu-kvm process on the host or, possibly,
escalate their privileges on the host.
All users of qemu-kvm should upgrade to these updated packages, which contain a backported
patch to resolve this issue. After installing this update, shut down all running virtual machines. Once
all virtual machines have shut down, start them again for this update to take effect.
4 .253.3. RHSA-2012:0050 — Import ant : qemu-kvm securit y, bug fix, and
enhancement updat e
Updated qemu-kvm packages that fix one security issue, one bug, and add one enhancement are
systems. qemu-kvm is the user-space component for running virtual machines using KVM.
Secu rit y Fix
C VE- 2012- 0029
A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network
interface card. A privileged guest user in a virtual machine whose network interface is
configured to use the e1000 emulated driver could use this flaw to crash the host or,
possibly, escalate their privileges on the host.
Red Hat would like to thank Nicolae Mogoreanu for reporting this issue.
Bug Fix
370
B Z #76 7721
qemu-kvm has a " scsi" option, to be used, for example, with the " -device" option: " -device
virtio-blk-pci,drive=[drive name],scsi=off" . Previously, however, it only masked the feature
bit, and did not reject SCSI commands if a malicious guest ignored the feature bit and
issued a request. This update corrects this issue. The " scsi=off" option can be used to
mitigate the virtualization aspect of CVE-2011-4127 before the RHSA-2011:1849 kernel
update is installed on the host.
This mitigation is only required if you do not have the RHSA-2011:1849 kernel update
installed on the host and you are using raw format virtio disks backed by a partition or LVM
volume.
If you run guests by invoking /usr/libexec/qemu-kvm directly, use the " -global virtio-blkpci.scsi=off" option to apply the mitigation. If you are using libvirt, as recommended by Red
Hat, and have the RHBA-2012:0013 libvirt update installed, no manual action is required:
guests will automatically use " scsi=off" .
Note
After installing the RHSA-2011:1849 kernel update, SCSI requests issued by guests
via the SG_IO IOCTL will not be passed to the underlying block device when using
raw format virtio disks backed by a partition or LVM volume, even if " scsi=on" is
used.
Enhance m e nt
B Z #76 79 06
Prior to this update, qemu-kvm was not built with RELRO or PIE support. qemu-kvm is now
built with full RELRO and PIE support as a security enhancement.
All users of qemu-kvm should upgrade to these updated packages, which correct these issues and
add this enhancement. After installing this update, shut down all running virtual machines. Once all
virtual machines have shut down, start them again for this update to take effect.
4 .253.4 . RHBA-2012:0572 — qemu-kvm bug fix updat e
Updated qemu-kvm packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
systems. The qemu-kvm packages form the user-space component for running virtual machines
using KVM.
Bug Fixe s
B Z #79 9 002
Previously, QEMU did not support 2000x2000 screen resolution. This resolution is now
supported.
B Z #805550
371
Previously, the free() function was missing in management of the " xsave" processor state.
This led to memory leaks in qemu-kvm when a guest used the xsave functionality, causing
excessive memory consumption on the host. Buffers used to manage xsave support are
now freed after use so that qemu-kvm no longer leaks memory.
All users of qemu-kvm are advised to upgrade to these updated packages, which fix these bugs. After
installing this update, shut down all running virtual machines. Once all virtual machines have shut
down, start them again for this update to take effect.
4 .254 . ql24 00-firmware
4 .254 .1. RHBA-2011:1661 — ql24 00-firmware bug fix and enhancement updat e
An updated ql2400-firmware package that provides several bug fixes and enhancements is now
The ql2400-firmware provides the firmware required to run the QLogic 2400 Series of mass storage
adapters.
This update upgrades the ql2400 firmware to upstream version 5.06.02, which provides a number of
All users of QLogic 2400 Series Fibre Channel adapters are advised to upgrade to this updated
package.
4 .255. ql2500-firmware
4 .255.1. RHBA-2011:1660 — ql2500-firmware bug fix updat e
An updated ql2500-firmware package that fixes multiple bugs and adds various enhancements is
The ql2500-firmware package provides the firmware required to run the QLogic 2500 Series of mass
storage adapters.
This update upgrades the ql2500 firmware to upstream version 5.06.02, which provides a number of
All users of QLogic 2500 Series Fibre Channel adapters are advised to upgrade to this updated
package, which fixes these bugs and adds these enhancements.
4 .256. Qpid
4 .256.1. RHEA-2012:0530 — Qpid bug fix and enhancement updat e
Updated Qpid packages that fix multiple bugs and add various enhancements are now available for
Apache Qpid is a reliable, cross-platform, asynchronous messaging system that supports the
Advanced Message Queuing Protocol (AMQP) in several common programming languages. The
qpid-cpp packages provide a message broker daemon that receives, stores and routes messages
using the open AMQP messaging protocol along with run-time libraries for AMQP client applications
developed using Qpid C++. Clients exchange messages with an AMQP message broker using the
AMQP protocol. The qpid-qmf packages provide an extensible management framework layered on
372
Qpid messaging. The qpid-tools package provides management and diagnostic tools for Apache
Qpid brokers and clients. The qpid-tests package contains conformance tests for Apache Qpid. The
python-qpid package provides a python client library for the Apache Qpid implementation of the
AMQP protocol.
The qpid-cpp, qpid-qmf, qpid-tools, qpid-tests and python-qpid packages have been upgraded to
upstream version 0.14, which provide a number of bug fixes and enhancements over the previous
version. (BZ #807935, BZ #807936, BZ #807943, BZ #807946, BZ #807948)
All users of Qpid are advised to upgrade to these updated packages, which fix these bugs and add
these enhancements.
4 .257. qpid-cpp
4 .257.1. RHBA-2011:1670 — qpid-cpp bug fix and enhancement updat e
Updated qpid-cpp packages that fix several bugs and add various enhancements are now available
The qpid-cpp packages provide a message broker daemon that receives, stores, and routes
messages using the open AMQP (Advanced Message Queuing Protocol) messaging protocol along
with runtime libraries for AMQP client applications developed using Qpid C++. Clients exchange
messages with an AMQP message broker using the AMQP protocol.
The qpid-cpp package has been upgraded to upstream version 0.12, which provides numerous bug
Bug Fixe s
B Z #6 9 5777
In the previous version of Red Hat Enterprise Linux, when an attempt to convert a negative
value of a Variant Qpid type into an unsigned short type value was made, an exception was
issued. In Red Hat Enterprise Linux 6, no exception was issued and the value was
converted, e.g. " -5" became " 65531" . This bug has been fixed and the exception is now
properly issued in the described scenario.
B Z #735058
Previously, non-static " isManagementMessage" class member was sometimes passed an
uninitialized value. This bug has been fixed and only initialized values are now passed in
the described scenario.
B Z #74 09 12
The XML-Exchange library (as part of the qpid-cpp-server-xml package) is only available
on x86, Intel 64, and AMD 64 architectures. Previously, this caused additional
dependencies on the xqilla and xerces-c packages to be added to the qpid-cpp RPM
package. However, functionality of these two packages is not needed for the Matahari agent
infrastructure. This update removes the dependency on these two packages for the
PowerPC and IBM System z architectures.
Enhance m e nt
B Z #6 6 34 6 1
Previously, qpid-cpp was only built for x86, Intel 64, and AMD 64 architectures. This update
adds support, which is needed to provide the Matahari agent infrastructure on PowerPC
373
adds support, which is needed to provide the Matahari agent infrastructure on PowerPC
and IBM System z architectures.
Users of qpid-cpp are advised to upgrade to these updated packages, which fix these bugs and add
these enhancements.
4 .258. qpid-qmf
4 .258.1. RHBA-2011:1671 — qpid-qmf bug fix and enhancement updat e
Updated qpid-qmf packages that fix a bug and add various enhancements are now available for Red
The qpid-qmf package provides an extensible management framework layered on Qpid messaging.
The qpid-qmf package has been upgraded to upstream version 0.12, which provides a number of
Bug Fix
B Z #74 36 57
Prior to this update, when " RequestContext._complete" was invoked, it would clear the
Agent's context, but not the Agent's sequence manager. Consequently qmf console objects
caused memory leaks. With this update the code has been corrected and the memory leak
of object instances in the Python console no longer occurs.
Enhance m e nt
B Z #6 9 9 4 9 9
The qmfv2 utility did not provide a way to determine via a pollable file descriptor if a new
event was available. Consequently more processor intensive methods were used. With this
update a new, optional, feature has been added, " qmf_fd" . It is a file descriptor that is
readable if, and only if, there is at least one qmf event to be processed.
Users are advised to upgrade to these updated qpid-qmf packages, which fix this bug and adds this
enhancement.
4 .259. qpid-t est s
4 .259.1. RHBA-2011:1667 — qpid-t est s bug fix updat e
An updated qpid-tests package is now available for Red Hat Enterprise Linux 6.
The qpid-tests package contains conformance tests for Apache Qpid.
The qpid-tests package has been upgraded to upstream version 0.12, which provides a number of
All users of qpid-tests are advised to upgrade to this updated package.
4 .260. qpid-t ools
4 .260.1. RHBA-2011:1668 — qpid-t ools bug fix updat e
374
4 .260.1. RHBA-2011:1668 — qpid-t ools bug fix updat e
An updated qpid-tools package that fixes various bugs and adds an enhancement is now available
The qpid-tools package provides management and diagnostic tools for Apache Qpid brokers and
clients.
The qpid-tools package has been upgraded to upstream version 0.12, which provides a number of
Bug Fixe s
B Z #6 8816 3
Prior to this update, the qmf-tool utility did not have options to select an authentication
method. Consequently users could not connect to the qpid console securely. With this
update the qmf-tool has been improved to allow extended command line options for
selecting an authentication method. As a result command line options can now be used to
select an authentication method and users can connect to the qpid console securely.
B Z #711180
Prior to this update, when attempting to stop a node in a cluster by specifying the ID
number with the command " qpid-cluster -s [ID ]" , qpid-cluster terminated unexpectedly, the
requested node was not stopped, and the error message " 'NoneType' object has no
attribute 'split'" was displayed. With this update qpid-tools no longer crashes and the
nodes can be stopped by specifying their ID s in the scenario described.
All users of qpid-tools are advised to upgrade to this updated package, which fixes these bugs and
4 .261. qt
4 .261.1. RHSA-2011:1328 — Moderat e: qt securit y updat e
Updated qt packages that fix two security issues are now available for Red Hat Enterprise Linux 6
FasTrack.
Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User
Interface) applications for the X Window System. HarfBuzz is an OpenType text shaping engine.
Secu rit y Fixes
C VE- 2011- 319 3
A buffer overflow flaw was found in the harfbuzz module in Qt. If a user loaded a speciallycrafted font file with an application linked against Qt, it could cause the application to
crash or, possibly, execute arbitrary code with the privileges of the user running the
application.
C VE- 2011- 319 4
A buffer overflow flaw was found in the way Qt handled certain gray-scale image files. If a
375
A buffer overflow flaw was found in the way Qt handled certain gray-scale image files. If a
user loaded a specially-crafted gray-scale image file with an application linked against Qt,
it could cause the application to crash or, possibly, execute arbitrary code with the
privileges of the user running the application.
Users of Qt should upgrade to these updated packages, which contain backported patches to
correct these issues. All running applications linked against Qt libraries must be restarted for this
4 .261.2. RHBA-2011:1170 — qt bug fix updat e
Updated qt packages that resolve several issues are now available for Red Hat Enterprise Linux 6.
Interface) applications for the X Window System.
Bug Fixe s
B Z #56 2132
While using the Lohit font in the Malayalam script, the ra-kar character combination (0D 4D
+ 0D 30 in Unicode) was rendered incorrectly. This issue has been fixed and this
combination is now rendered correctly.
B Z #6 79 759
Example binary files in the qt-examples package were missing execute permissions, which
meant that normal users could not run them. This has been fixed: file permissions have
been corrected and the example files now can be executed properly.
B Z #6 80088
D ue to an issue in the qt buildroot, the complexpong example was incorrectly removed for
the PowerPC architecture qt-examples package, which caused that missing files were
reported when the qt-examples file list was verified. This issue has been fixed: the
complexpong example is now correctly included for all supported architectures.
B Z #716 6 9 4
Previously, the /etc/rpm/macros.qt4 file was part of the qt-x11 package, which was incorrect.
This issue has been corrected: the file has been moved into the qt-devel package.
All users of qt are advised to upgrade to these updated packages, which resolve these issues.
4 .262. qt 3
4 .262.1. RHBA-2011:1269 — qt 3 bug fix updat e
Updated qt3 packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Interface) applications for the X Window System.
Bug Fix
B Z #6 514 26
376
Prior to this update, the 64-bit architecture was not preferred over the 32-bit architecture
when setting the PATH environment variable on the 64-bit PowerPC platform. This bug has
been fixed in this update so that the 64-bit architecture is now preferred.
All users of qt3 are advised to upgrade to these updated packages, which fix this bug.
4 .263. rapt or
4 .263.1. RHSA-2012:04 10 — Import ant : rapt or securit y updat e
Updated raptor packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
Raptor provides parsers for Resource D escription Framework (RD F) files.
Secu rit y Fix
C VE- 2012- 0037
An XML External Entity expansion flaw was found in the way Raptor processed RD F files. If
an application linked against Raptor were to open a specially-crafted RD F file, it could
possibly allow a remote attacker to obtain a copy of an arbitrary local file that the user
running the application had access to. A bug in the way Raptor handled external entities
could cause that application to crash or, possibly, execute arbitrary code with the
privileges of the user running the application.
Red Hat would like to thank Timothy D . Morgan of VSR for reporting this issue.
All Raptor users are advised to upgrade to these updated packages, which contain a backported
patch to correct this issue. All running applications linked against Raptor must be restarted for this
4 .264 . RDMA
4 .264 .1. RHEA-2011:1639 — RDMA st ack bug fix and enhancement updat e
Updated RD MA packages that fix various bugs and add various enhancements are now available
Red Hat Enterprise Linux includes a collection of InfiniBand and iWARP utilities, libraries and
development packages for writing applications that use Remote D irect Memory Access (RD MA)
technology.
The InfiniBand/iWARP/RD MA stack components have been upgraded to more recent upstream
versions.
B u g Fixes
B Z #724 89 6 , B Z #724 89 9 , B Z #724 9 00
The perftest, qperf, and srptool packages spec files erroneously limited the 32 bit Intel build
to just the i386 architecture while Red Hat Enterprise Linux 6 now defaults 32 bit Intel builds
to the i686 architecture. As a consequence these packages failed to build on the i686
377
architecture. With this update the error has been corrected and the packages build as
expected.
B Z #721101
In Red Hat Enterprise Linux 6.1 changes to network functions to support multiple IP
addresses on an interface were made. This caused the ifup-ib script to fail to start IPoIB
interfaces depending on how the ifcfg-ib[n] (where [n] is 0 or greater) file was written.
Erroneous error messages, " Error: an inet prefix is expected rather than" or " Error, some
other host already uses address" were logged. With this update, the ifup-ib script has been
changed to handle an array of multiple IP addresses and the error no longer occurs in the
scenario described.
Enhance m e nt s
B Z #6 3339 2
This update provides support in OpenSM for Single Root I/O Virtualization (SRIOV) using
SRIOV ports exposed on Mellanox SRIOV capable devices.
B Z #725106
An OpenSM update was required in order to provide SRIOV support and the update
changed the names of the libraries exported by OpenSM and the rest of the InfiniBand
management stack. Therefore a new package, " compat-opensm-libs" , that provides a copy
of the original libraries, was added to the stack to prevent this upgrade from breaking
installed applications.
All RD MA users should upgrade to these updated packages which fix these bugs and add these
enhancements.
4 .265. Red Hat Ent erprise Linux Release Not es
4 .265.1. RHEA-2011:1773 — Red Hat Ent erprise Linux 6.2 Release Not es
Updated packages containing the Release Notes for Red Hat Enterprise Linux 6.2 are now available.
Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security and
bug fix errata. The Red Hat Enterprise Linux 6.2 Release Notes documents the major changes made
to the Red Hat Enterprise Linux 6 operating system and its accompanying applications for this minor
release. D etailed notes on all changes in this minor release are available in the Technical Notes.
Refer to the Online Release Notes for the most up-to-date version of the Red Hat Enterprise Linux 6.2
Release Notes:
https://access.redhat.com/site/documentation/enUS/Red_Hat_Enterprise_Linux/6/html/6.2_Release_Notes/index.html
4 .265.2. RHEA-2011:154 3 — Red Hat Ent erprise Linux 6.2 Release Not es
Updated packages containing the Release Notes for Red Hat Enterprise Linux 6.2 are now available.
Red Hat Enterprise Linux minor releases are an aggregation of individual enhancement, security and
bug fix errata. The Red Hat Enterprise Linux 6.2 Release Notes documents the major changes made
to the Red Hat Enterprise Linux 6 operating system and its accompanying applications for this minor
release. D etailed notes on all changes in this minor release are available in the Technical Notes.
378
Refer to the Online Release Notes for the most up-to-date version of the Red Hat Enterprise Linux 6.2
Release Notes:
https://access.redhat.com/site/documentation/enUS/Red_Hat_Enterprise_Linux/6/html/6.2_Release_Notes/index.html
4 .266. redhat -release
4 .266.1. RHEA-2011:174 3 — redhat -release enhancement updat e for Red Hat
Ent erprise Linux 6.2
An enhanced redhat-release package is now available for Red Hat Enterprise Linux 6.2.
The redhat-release package contains licensing information regarding, and identifies the installed
version of, Red Hat Enterprise Linux.
This updated redhat-release package reflects changes made for the release of Red Hat Enterprise
Linux 6.2.
Users of Red Hat Enterprise Linux 6 are advised to upgrade to this updated redhat-release package,
4 .267. redhat -rpm-config
4 .267.1. RHBA-2011:174 8 — redhat -rpm-config bug fix updat e
An updated redhat-rpm-config package that fixes several bugs is now available for Red Hat
Enterprise Linux 6.
The redhat-rpm-config package is used during building of RPM packages to apply various default
distribution options determined by Red Hat. It also provides a few Red Hat RPM macro
customizations, such as those used during the building of D river Update packages.
Bug Fixe s
B Z #6 4 276 8
Previously, when building two RPM packages, where one depended on symbols in the
other, the D river Update Program (D UP) generated " Provides" and " Requires" symbols that
did not match. This bug has been fixed, and these symbols are now generated correctly by
D UP in the described scenario.
B Z #6 81884
If two kernel modules had a dependency, where one module referred to a function
implemented by the other, the symbol reference was built incorrectly. As a consequence, the
package that contained the module that depended on the other module, could not be
installed. A patch has been provided to address this issue, and symbol references are now
generated correctly in the described scenario.
Enhance m e nt
B Z #72086 6
379
D river Update D isks now include additional dependency information to work with later
releases of Red Hat Enterprise Linux 6, in which a small change to installer behavior will
impact only newly-created D river Update D isks. D isks made previously are not affected by
this update.
Users of redhat-rpm-config are advised to upgrade to this updated package, which fixes these bugs
4 .268. resource-agent s
4 .268.1. RHSA-2011:1580 — Low: resource-agent s securit y, bug fix, and
enhancement updat e
An updated resource-agents package that fixes one security issue, several bugs, and adds multiple
enhancements is now available for Red Hat Enterprise Linux 6.
The resource-agents package contains a set of scripts to interface with several services to operate in
a High Availability environment for both Pacemaker and rgmanager service managers.
This update upgrades the resource-agents package to upstream version 3.9.2, which provides a
Secu rit y Fix
C VE- 2010- 3389
It was discovered that certain resource agent scripts set the LD _LIBRARY_PATH
environment variable to an insecure value containing empty path elements. A local user
able to trick a user running those scripts to run them while working from an attackerwritable directory could use this flaw to escalate their privileges via a specially-crafted
dynamic library.
Red Hat would like to thank Raphael Geissert for reporting this issue.
Bug Fixe s
B Z #711852
When using the Sybase database and the ASEHAagent resource in the cluster.conf file, it
was not possible to run more than one ASEHAagent per Sybase installation. Consequently,
a second ASEHA (Sybase Adaptive Server Enterprise (ASE) with the High Availability
Option) agent could not be run. This bug has been fixed and it is now possible to use two
ASEHA agents using the same Sybase installation.
B Z #6 9 3518
The s/lang scripts, which implement internal functionality for the rgmanager package, while
the central_processing option is in use, were included in the wrong package. Now, the
rgmanager and resource-agents packages require each other for installation to prevent
problems when they are used separately.
B Z #6 89 801
380
Previously, the oracledb.sh script was using the " shutdown abort" command as the first
attempt to shut down a database. With this update, oracledb.sh first attempts a graceful
shutdown via the " shutdown immediate" command before forcing the shutdown.
B Z #6 6 7217
Previously, when setting up a service on a cluster with a shared IP resource and an Apache
resource, the generated httpd.conf file contained a bug in the line describing the shared IP
address (the " Listen" line). Now, the Apache resource agent generates the " Listen" line
properly.
B Z #6 6 7222
If a high-availability (HA) cluster service was defined with an Apache resource and was
named with two words, such as " kickstart httpd" , the service never started because it could
not find a directory with the space character in its name escaped. Now, Apache resources
work properly if a name contains a space as described above.
B Z #6 9 1814
When inheritance was used in the cluster.conf file, a bug in the
/usr/share/cluster/nfsclient.sh file prevented it from monitoring NFS exports properly.
Consequently, monitoring of NFS exports to NFS clients resulted in an endless loop. This
bug has been fixed and the monitoring now works as expected.
B Z #6 9 4 816
Previously, the postgres-8 resource agent did not detect when a PostgreSQL server failed
to start. This bug has been fixed and postgres-8 now works as expected in the described
scenario.
B Z #709 4 00
When using the Pacemaker resource manager, the fs.sh resource agent reported an error
condition, if called with the " monitor" parameter and the referenced device did not exist.
Consequently, the error condition prevented the resource from being started. Now, fs.sh
returns the proper response code in the described scenario, thus fixing this bug.
B Z #7276 4 3
Previously, numerous RGManager resource agents returned incorrect response codes
when coupled with the Pacemaker resource manager. Now, the agents have been updated
to work with Pacemaker properly.
Enhance m e nt
B Z #6 784 9 7
With this update, when the network is removed from a node using the netfs.sh resource
agent, it now recovers faster than previously.
All users of resource-agents are advised to upgrade to this updated package, which corrects these
issues and adds these enhancements.
4 .269. rgmanager
4 .269.1. RHBA-2011:1595 — rgmanager bug fix and enhancement updat e
381
An updated rgmanager package that fixes various bugs and adds one enhancement is now
The rgmanager package contains the Red Hat Resource Group Manager, which provides the ability
to create and manage high-availability server applications in the event of system downtime.
The rgmanager package has been upgraded to upstream version 3.0.12.1, which provides a number
of bug fixes and enhancements over the previous version. Note that this update requires the
resource-agents package in version 3.9.2 or later. (BZ #707118)
Bug Fixe s
B Z #6 7316 7
When handling failed services, the " clusvcadm -d" command now operates consistently.
B Z #6 9 019 1
Exclusive prioritization now operates on service failures instead of only on node failures.
B Z #6 9 289 5
The rgmanager service no longer terminates unexpectedly with a segmentation fault when a
resource agent provides invalid or corrupted metadata.
B Z #709 39 8
Reference count handling of resources with multiple instances has been corrected.
B Z #716 231
An error in handling of independent subtree failures, which caused more resources to be
disabled than necessary, has been fixed.
B Z #6 9 74 4 6 , B Z #74 16 07
The rgmanager service no longer terminates unexpectedly on startup/shutdown or during
service relocation.
Enhance m e nt
B Z #7239 25
The rgmanager service can now be disabled in the cluster.conf configuration file.
All users of rgmanager are advised to upgrade to this updated package, which fixes these bugs and
4 .270. rhn-client -t ools and yum-rhn-plugin
4 .270.1. RHBA-2011:1664 — rhn-client -t ools and yum-rhn-plugin bug fix
updat e
Updated rhn-client-tools and yum-rhn-plugin packages that fix several bugs are now available for
The rhn-client-tools and yum-rhn-plugin packages provide programs and libraries that allow a
system to receive software updates from Red Hat Network or Red Hat Network Satellite.
382
Bug Fixe s
B Z #6 84 250
Prior to this update, the order of screens in the firstboot application may have varied
depending on the current locale. This update corrects the priority of the Red Hat Network
module so that the order of the firstboot screens is no longer affected by the translation in
use.
B Z #6 84 9 13
When rhn_register fails to verify the server's SSL certificate, it terminates with a traceback.
Previously, this traceback contained a misleading exception message which treated a CA
certificate as an SSL certificate. The relevant exception message has now been rephrased
to make sure such a traceback does not contain misleading information.
B Z #6 9 8525
D ue to an error in rhnplugin, running the " yum repolist" command may have incorrectly
reported previously cached channels as available. This update adapts rhnplugin to use
the list of cached channels only when the user explicitly requests it (for example, by using
the " --cacheonly" command line option).
B Z #700750
When used in conjunction with yum 3.2.29, rhnplugin caused the " yum clean" command to
create empty directories in the current directory for every registered Red Hat Network
repository. This update ensures that no directories are created when " yum clean" is
executed, as expected.
B Z #701189
When building a list of cached channels, the previous version of rhnplugin failed to verify
that a cachedir directory exists. This caused this list to be empty, and any subsequent " yum
clean" command therefore ignored these channels. This update adapts rhnplugin to create
such a directory when necessary so that the list of cached channels can be successfully
created.
B Z #702084 , B Z #702107
Previously, running the " rhn-channel -L" command with an incorrect username or
password or as a user without permissions to administer the system in question caused it to
terminate unexpectedly with a traceback. The rhn-channel utility has been corrected to
display an appropriate error message in this situation.
B Z #70716 1
Previously, an error in rhnplugin occasionally prevented yum from displaying the
download progress for packages from Red Hat Network or Red Hat Network Satellite. This
update adapts rhnplugin to set up Red Hat Network channels during the plug-in
initialization, and the download progress is now displayed for all packages.
B Z #71006 5, B Z #714 113
Prior to this update, the presence of a UTF-8 character in an error or log message caused
rhnplugin to terminate unexpectedly with a traceback. Such messages are now printed as
expected.
B Z #71354 8
383
D ue to incompatible APIs, an attempt to run the " spacewalk-channel -L" command on a
system registered with Red Hat Network Satellite failed with a traceback. This update
resolves the compatibility issue and the command no longer fails in this scenario.
B Z #7254 9 6
When processing the /etc/yum/pluginconf.d/rhnplugin.conf file, the previous version of
rhnplugin incorrectly ignored options in the [main] section other than " enabled" and
" gpgcheck" . This update ensures that this file is now processed correctly.
B Z #729 4 6 8
When a machine is already registered using the Red Hat Subscription Manager tool, an
attempt to register it with RHN Classic or Red Hat Network Satellite causes the rhn_register
utility to display a warning message. This update rephrases this warning message for
clarity.
B Z #6 9 04 4 0
Previously, the rhn-profile-sync(8), rhn_register(8), rhnreg_ks(8), and up2date(5) manual
pages incorrectly listed /etc/sysconfig/rhn/update as the common configuration file used by
RHN client programs. This update adapts these manual pages to use the correct file,
/etc/sysconfig/rhn/up2date.
Users of rhn-client-tools and yum-rhn-plugin should upgrade to these updated packages, which fix
these bugs.
4 .271. rhnlib
4 .271.1. RHBA-2011:1665 — rhnlib bug fix updat e
An updated rhnlib package that fixes various bugs is now available for Red Hat Enterprise Linux 6.
The rhnlib package consists of a collection of Python modules used by the Red Hat Network (RHN)
software.
Bug Fixe s
B Z #6 8809 5
D ue to an error in the rhnlib code, network operations would have become unresponsive
when an HTTP connection to Red Hat Network (RHN) or RHN Satellite became idle. The
code has been modified to use timeout for HTTP connections. Network operations are now
terminated after predefined time interval and can be restarted.
B Z #73074 4
Prior to this update, programs that used rhnlib were not able to connect to RHN or RHN
Satellite using an IPv6 address. The code has been modified to correct this issue, and
rhnlib-based applications are now able to connect to RHN or RHN Satellite without any
problems with IPv6 address resolution.
All users of rhnlib are advised to upgrade to this updated package, which resolves these issues.
4 .272. ricci
384
4 .272.1. RHBA-2011:1698 — ricci bug fix and enhancement updat e
Updated ricci packages that fix multiple bugs and add one enhancement are now available for Red
The ricci packages contain a daemon and a client for remote configuring and managing of clusters.
Bug Fixe s
B Z #6 9 74 9 3
Prior to this update, the ccs_sync utility could not handle IPv6 addresses. This could
prevent the cluster.conf file from being distributed to nodes. The ccs_sync utility has been
modified to be able to recognize and use IPv6 addresses. Now, the cluster.conf file is
distributed to all nodes correctly.
B Z #718230
The ccs tool did not add or list virtual machine services correctly when using the " ccs -addresource" command. This was caused by the virtual machine resource being incorrectly
added in the " resources" tag instead of the " rm" tag. This problem has been fixed and
virtual machine services are now added directly in the " rm" tag when using the ccs tool.
B Z #725722
Prior to this update, the /usr/share/ccs/cluster.rng schema file did not contain definition of
the " suborg" option for the fence_cisco_ucs agent. As a consequence, the cluster.conf file
was not changed when adding a fencing instance definition with the " suborg" option. With
this update, the cluster.rng schema has been modified to match the schema present in the
cman package.
B Z #721109
Previous versions of ricci did not require the modcluster package even though it was
needed for ricci to work correctly. With this update, ricci now requires modcluster to be
installed.
Enhance m e nt
B Z #6 9 6 9 01
The ccs utility can now parse metadata in /usr/share/cluster and lists all the services and
fence devices available, as well as their options.
All users of ricci are advised to upgrade to these updated ricci packages, which fix these bugs and
4 .273. rng-t ools
4 .273.1. RHEA-2011:1774 — rng-t ools bug fix updat e
An enhanced rng-tools package that adds two enhancements is now available for Red Hat Enterprise
Linux 6.
The rng-tools package contains the random number generator user space utilities, such as the rngd
daemon.
385
Enhance m e nt s
B Z #7334 52
A new " -i, --ignorefail" command line option has been added to the rngd daemon. This
option allows rngd to ignore repeated warning messages about failed FIPS checks.
B Z #74 9 6 29
The rngd(8) manual page has been modified to include the " -i, --ignorefail" option.
All users of rng-tools are advised to upgrade to this updated package, which adds these
enhancements.
4 .273.2. RHEA-2011:1776 — rng-t ools enhancement updat e
An enhanced rng-tools package that adds two enhancements is now available for Red Hat Enterprise
Linux 6.
The rng-tools package contains the random number generator user space utilities, such as the rngd
daemon.
Enhance m e nt s
B Z #754 752
The startup script and configuration files for the rngd daemon have been added to the
/etc/init.d/ and /etc/sysconfig/ directory, respectively.
All users of rng-tools are advised to upgrade to this updated package, which adds these
enhancements.
4 .274 . rpm
4 .274 .1. RHSA-2012:04 51 — Import ant : rpm securit y updat e
Updated rpm packages that fix multiple security issues are now available for Red Hat Enterprise
Linux 5 and 6; Red Hat Enterprise Linux 3 and 4 Extended Life Cycle Support; Red Hat Enterprise
Linux 5.3 Long Life; and Red Hat Enterprise Linux 5.6, 6.0 and 6.1 Extended Update Support.
The RPM Package Manager (RPM) is a command-line driven package management system capable
of installing, uninstalling, verifying, querying, and updating software packages.
Secu rit y Fix
C VE- 2012- 006 0, C VE- 2012- 006 1, C VE- 2012- 0815
Multiple flaws were found in the way RPM parsed package file headers. An attacker could
create a specially-crafted RPM package that, when its package header was accessed, or
during package signature verification, could cause an application using the RPM library
(such as the rpm command line tool, or the yum and up2date package managers) to crash
or, potentially, execute arbitrary code.
386
Note: Although an RPM package can, by design, execute arbitrary code when installed, this issue
would allow a specially-crafted RPM package to execute arbitrary code before its digital signature
has been verified. Package downloads from the Red Hat Network are protected by the use of a secure
HTTPS connection in addition to the RPM package signature checks.
All RPM users should upgrade to these updated packages, which contain a backported patch to
correct these issues. All running applications linked against the RPM library must be restarted for this
4 .274 .2. RHBA-2011:1737 — rpm bug fix and enhancement updat e
Updated rpm packages that fix several bugs and add one enhancement are now available for Red
The RPM Package Manager (RPM) is a powerful command line driven package management system
that can install, uninstall, verify, query and update software packages.
Bug Fixe s
B Z #6 519 51
Prior to this update, RPM did not allow for self-conflicts. As a result, a package could not be
installed if a conflict was added against the name of this package. With this update selfconflicts are permitted. Now, packages can be installed as expected.
B Z #6 74 34 8
The rpm2cpio.sh utility was omitted when RPM switched the default compression format for
the package payload to xz. As a consequence, the utility was not able to extract files. This
update adds the xz support for rpm2cpio.sh and the utility now extracts files successfully.
B Z #705115
Prior to this update, when installing a package containing the same files as an already
installed package, the file with the less preferred architecture was overwritten silently even if
the file was not a binary. With this update, only binary files can overwrite other binary files;
conflicting non-identical and non-binary files print an error message.
B Z #7059 9 3
Previously, files, that were listed in the spec file with the % defattr(-) directive, did not keep
the attributes they had in the build root. With this update, the modified RPM can now keep
these attributes.
B Z #7074 4 9
Prior to this update, signing packages that had already been signed with the same key
could cause the entire signing process to abort. With this update, RPM is modified so that
packages with identical signatures are skipped and the others are signed.
B Z #72136 3
Prior to this update, passing packages with a broken signature could cause the librpm
library to crash. The source code has been revised and broken signatures are now
rejected.
Enhance m e nt
387
B Z #6 80889
Previously, importing GPG keys that had already been imported before could cause RPM to
fail with an error message. RPM has been modified and now imports the keys successfully.
All users of RPM are advised to upgrade to these updated packages, which fix these bugs and add
this enhancement.
4 .275. rsyslog
4 .275.1. RHBA-2011:1673 — rsyslog bug fix and enhancement updat e
Updated rsyslog packages that fix multiple bugs and add various enhancements are now available
The rsyslog packages provide an enhanced, multi-threaded syslog daemon that supports MySQL,
syslog/TCP, RFC 3195, permitted sender list, filtering on any message part, and fine grained output
format control.
Bug Fixe s
B Z #6 6 1858
Previously, running rsyslog with Transport Layer Security (TLS) and TCP caused extensive
memory and CPU consumption. Consequent to this, the system could become
unresponsive. The source code has been modified and problems with the memory and CPU
consumption no longer occur.
B Z #6 9 8705
Prior to this update, the rsyslog initscript created an invalid lock file named rsyslogd. As a
consequence, rsyslog and rsyslogd did not match and the rc daemon did not stop the
process when shutting down the system. With this update, the source code is modified so
that the initscript creates a valid lock file.
B Z #701782
On the IBM System z and PowerPC architectures, the rsyslog daemon did not respect the
configuration to send messages using TLS encryption. As a consequence, messages were
sent as plain text. With this update, rsyslog is modified to send messages encrypted.
B Z #727208
Previously, the " ActionExecOnlyOnceEveryInterval" directive did not work as expected. If
another message came within the time limit, the timeout got reset and would never expire.
This problem has been fixed and the timeout now expires as expected.
Enhance m e nt s
B Z #6 184 88
Previously, rsyslog did not build the omsnmp module by default. This update provides the
omsnmp module so that users are able to send syslog messages over Simple Network
Management Protocol (SNMP).
B Z #6 83537
388
Previously, the rsyslog daemon included /var/log/boot.log in the /etc/logrotate.d/syslog file.
The rotation caused a new boot.log file to be created with zero length, while a date was
appended to the old one. Eventually, after a certain number of rotations, the boot.log data
got lost. With this update, rotation is no longer used for /var/log/boot.log.
B Z #702314
This update includes the new ommail module in the rsyslog package, which can be used
for sending emails based on received syslog events.
B Z #73709 6
This update introduces the new " SpaceLFOnReceive" configuration option and the
" RSYSLOG_SysklogdFileFormat" format template. These new features allow users to
configure rsyslog to behave like the sysklogd daemon, which was available in previous
releases.
Users are advised to upgrade to these updated rsyslog packages, which fix these bugs and add
these enhancements.
4 .276. ruby
4 .276.1. RHSA-2011:1581 — Low: ruby securit y, bug fix, and enhancement
updat e
Updated ruby packages that fix two security issues, various bugs, and add one enhancement are
Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available
for each vulnerability from the CVE link(s) associated with each description below.
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text
files and to do system management tasks.
Secu rit y Fixes
C VE- 2011- 3009
It was found that Ruby did not reinitialize the PRNG (pseudorandom number generator)
after forking a child process. This could eventually lead to the PRNG returning the same
result twice. An attacker keeping track of the values returned by one child process could
use this flaw to predict the values the PRNG would return in other child processes (as long
as the parent process persisted).
C VE- 2011- 2705
A flaw was found in the Ruby SecureRandom module. When using the
SecureRandom.random_bytes class, the PRNG state was not modified after forking a child
process. This could eventually lead to SecureRandom.random_bytes returning the same
string more than once. An attacker keeping track of the strings returned by one child
process could use this flaw to predict the strings SecureRandom.random_bytes would
return in other child processes (as long as the parent process persisted).
Bug Fixe s
B Z #706 332
389
The ruby package has been upgraded to upstream point release 1.8.7-p352, which
provides a number of bug fixes over the previous version.
B Z #717709
The MD 5 message-digest algorithm is not a FIPS-approved algorithm. Consequently, when
a Ruby script attempted to calculate an MD 5 checksum in FIPS mode, the interpreter
terminated unexpectedly. This bug has been fixed and an exception is now raised in the
described scenario.
B Z #730287
D ue to inappropriately handled line continuations in the mkconfig.rb source file, an attempt
to build the ruby package resulted in unexpected termination. An upstream patch has been
applied to address this issue and the ruby package can now be built properly.
B Z #6 74 787
When the 32-bit ruby-libs library was installed on a 64-bit machine, the mkmf library failed
to load various modules necessary for building Ruby-related packages. This bug has been
fixed and mkmf now works properly in the described scenario.
B Z #722887
Previously, the load paths for scripts and binary modules were duplicated on the i386
architecture. Consequently, an ActiveSupport test failed. With this update, the load paths
are no longer stored in duplicates on the i386 architecture.
Enhance m e nt
B Z #6 7316 2
With this update, SystemTap probes have been added to the ruby package.
All users of ruby are advised to upgrade to these updated packages, which resolve these issues and
4 .276.2. RHSA-2012:0069 — Moderat e: ruby securit y updat e
Updated ruby packages that fix one security issue are now available for Red Hat Enterprise Linux 6.
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text
Secu rit y Fix
C VE- 2011- 4 815
A denial of service flaw was found in the implementation of associative arrays (hashes) in
Ruby. An attacker able to supply a large number of inputs to a Ruby application (such as
HTTP POST request parameters sent to a web application) that are used as keys when
inserting data into an array could trigger multiple hash function collisions, making array
operations take an excessive amount of CPU time. To mitigate this issue, randomization
has been added to the hash function to reduce the chance of an attacker successfully
causing intentional collisions.
390
Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and
Alexander Klink as the original reporters.
All users of ruby are advised to upgrade to these updated packages, which contain a backported
patch to resolve this issue.
4 .276.3. RHBA-2012:04 25 — ruby bug fix updat e
Updated ruby packages that fix one bug are now available for Red Hat Enterprise Linux 6.
Ruby is an extensible, interpreted, object-oriented scripting language. It has features to process text
Bug Fix
B Z #79 9 9 59
If a marshaled object contained multiple child objects and the call to the Marshal.load
method was interrupted by a context switch, a segmentation fault could have been
triggered. This was due to a thread-safety bug in the Ruby interpreter and could affect
multiple packages. To prevent segmentation faults from occurring, the destination string is
marked, and data tables that are identical with symbol tables are cleared.
All users of ruby are advised to upgrade to these updated packages, which fix this bug.
4 .276.4 . RHEA-2012:04 59 — ruby enhancement updat e
Enhanced ruby packages are now available for Red Hat Enterprise Linux 6.
Ruby is an interpreted scripting language for quick-and-easy object-oriented programming. It has
many features to process text files and perform system management tasks, similar to Perl. It is simple,
straight-forward, and extensible.
This enhancement update moves the ruby-rdoc and ruby-devel packages from the Red Hat
Enterprise Linux 6 Optional channels to the Red Hat Enterprise Linux 6 base channels. This update
does not make any other changes to packages. (BZ #810128)
All users who require ruby should install these enhanced packages.
4 .277. s390ut ils
4 .277.1. RHBA-2011:1525 — s390ut ils bug fix and enhancement updat e
Updated s390utils packages that fix multiple bugs and add multiple enhancements are now available
The s390utils packages contain a set of utilities and daemons related to Linux for the IBM System z
architecture.
B u g Fixes
B Z #74 6 202
391
The cmsf s- f u se did not correctly update the number of records on the disk under certain
conditions. This could result in an unreadable file situation when the last free data block on
the disk was used. The cmsf s- f u se tool has been modified to update the highest record
number according to the number of records written before the disk is full. The problem with
unreadable files no longer occurs.
B Z #74 6 201
Previously, FBA-512 disks could not be mounted using the cmsf s- f u se utility because
csmf s- f u se expected to find the label information at a different position than it is located
on FBA-512 disks. Also, the block size of the formatted FBA-512 disk can differ from the
usual FBA disk block size, which is 512 bytes. With this update, cmsf s- f u se has been
modified to detect the label information of FBA-512 disks and the formatted block size is
now read from the label. FBA-512 disks can now be mounted with cmsf s- f u se as
expected.
B Z #74 6 19 5
The cmsf s- f u se utility incorrectly calculated logical address of the data block that was to
be allocated or freed. As a consequence, a write operation failed if a disk with a block size
of 512 bytes was larger than 256 MB. With this update, cmsf s- f u se has been modified
to calculate logical addresses correctly, and disks with a block size of 512 bytes can be
written to regardless of their capacity.
B Z #74 59 4 0
Under certain circumstances, cmsf s- f u se could incorrectly calculate the end of a file when
parsing data record of a file in the fixed record format. As a consequence, an attempt to read
such a file failed with an I/O error. The cmsf s- f u se has been modified to calculate data
records and detect the end of a file correctly. Read operations on files in the fixed record
format are now successful.
B Z #74 59 39
When performing multiple subsequent write operations on a file in the fixed record format,
cmsf s- f u se could, under certain circumstances, incorrectly determine the current write
position. As a consequence, write operations could fail. The cmsf s- f u se tool now
maintains, as long as a file is open for writing, a write pointer that refers to the current write
position, and thus allows co nti g uo us wri tes to the file in the fixed record format without
any failures.
B Z #74 59 38
The cmsf s- f u se utility did not reset the record length attribute after finishing a write
operation. As a consequence, the next write operation failed if a disk was mounted with the
-o bi g _wri tes option, which enables write operations bigger than 4 KB, and the
previously written record was larger than a disk block size. With this update, cmsf s- f u se
resets the record length attribute after every write operation, and writing to a file no longer
fails in the scenario described.
B Z #736 39 7
The q etharp utility did not check the lenght of the given interface name parameter.
Therefore, the q etharp command terminated with a buffer overflow when it was executed
with an interface name that was longer than 16 bytes. With this update, q etharp checks
the length of the interface name parameter, and properly exits with the Erro r: i nterface
name to o l o ng error message if the parameter is longer than it is allowed to be.
B Z #6 9 5380
392
D ue to the redundant free() function call in the configuration file of cmsf s- f u se, the
utility attempted to deallocate already freed memory. As a consequence, cmsf s- f u se
expressed unpredictable behavior in the file type translation mode, such as a no longer
accessible file system. With this update, the superfluous f ree( ) function call has been
removed, and cmsf s- f u se now behaves as expected.
B Z #74 59 36
Under certain circumstances, a file size calculation could cause the data type overflow
situation, which resulted in a negative value. As a consequence, it was impossible to create
files larger than 2 G B. With this update, cmsf s- f u se has been modified to cast data type
of variables, structure members and functions used in the calculation to a longer data type
before calculating the file size. The cmsf s- f u se utility now works as expected and files
larger than 2 G B can now be created.
B Z #74 0302
The lsmem and ch mem utilities assumed only contiguous memory blocks. Therefore, if the
memory was non-contiguous and memory blocks did not follow in the presumed order, the
lsmem utility did not show available memory that followed after a part of the physical
address space that was not mapped to physical memory, a so called memo ry ho l e, and
the ch mem utility did not work at all. The lsmem and ch mem utilities have been modified
to work correctly with non-contiguous memory.
B Z #73834 1
The lscss and lsd asd tools did not correctly handle a situation when running on a sysfs
device tree that was changing. If a device disappeared from the device tree while lscss or
lsd asd was attempting to access attributes of the device, the tool displayed pointless error
messages. With this update, the lscss and lsd asd code has been modified to suppress
the related error messages. In addition, the return code of the l scss -h and l sd asd -h
commands has been corrected.
B Z #73834 0
The lslu n s utility did not check whether the SC SI G eneri c (sg ) driver was loaded in
the kernel and sg functi o nal i ty was thus available. Therefore, lslu n s silently failed
when it was started and sg functi o nal i ty was unavailable on the system. With this
update, lslu n s now includes the missing check and exits with an error message when it is
started on the system with the sg functi o nal i ty unavailable.
B Z #738329
The af _iu cv(8) man page now contains previously missing information about
Hi perSo ckets and Hi perSo cket co nnecti o ns, including an explanation on how to
configure a Hi perSo cket d evi ce.
B Z #736 035
Previously, the d u mp co n f utility used the D ELAY _MINUT ES variable to delay restart of a
system on kernel pani c. However, users expected immediate action, therefore dumpconf
has been modified to set the D ELAY _MINUT ES variable to 0 on system restart. Restart of the
system with dumpconf is now triggered immediately.
B Z #732739
The cpupl ug d daemon did not properly handle lines commented out and did not correctly
match strings in its configuration file. Consequently, lines in the configuration file that were
commented out could be executed, which resulted in a parsing error, and invalid variable
393
names were sometimes not rejected. The comment handling and string matching routines
has been corrected in the code, and cpupl ug d now behaves as expected when parsing
the configuration file.
B Z #7309 78
When calculating a date for a timestamp, the Perl localtime function incorrectly returned
month within a rang e fro m 0 to 11 instead of a rang e fro m 1 to 12, which
resulted in timestamps shifted by one month backward. To correct this problem, returned
integer is incremented by one. The z f cp d b f now generates correct timestamps.
B Z #730370
The l sl uns --hel p command incorrectly suggested using an invalid --po rts option.
This mistake has been corrected, and the l sl uns --hel p now correctly displays the -po rt option.
B Z #729 6 10
The f d asd utility did not distinguish between interactive and non-interactive mode.
Therefore, when running the f d asd utility with the --co nfi g or --auto option on a
device with no valid disk label, f d asd could stop with the following output:
no known label
Should I create a new one? (y/n)
Or it could fail with the following error message:
Disc does not contain a VOL1 label, cannot create partitions.
exiting...
With this update, the f d asd has been modified to properly check whether it should run in
interactive or non-interactive mode, and it behaves accordingly.
B Z #726 4 14
The cpupl ug d (8) man page has been modified to correct several typos and add one
missing word.
B Z #725737
Previously, the cpupl ug d daemon did not handle a sub-string matching correctly. The
daemon also used an incorrect string length when working with user-defined variables. As
a consequence, the daemon returned a parsing error if a user-defined variable name
matches the prefix of a pre-defined variable, or a substring of another user-defined
variable. With this update, the sub-string matching has been corrected, and cpuplugd now
uses correct string length in string comparing operations. Parsing errors no longer occur in
the scenario described.
B Z #71874 5
The cpupl ug d did not use any mechanism to prevent multiple cpupl ug d instances from
starting. As a consequence, a race between the PID file creation and a daemon startup
could result in multiple cpuplugd instances running concurrently. To resolve this problem,
a file locking mechanism that uses the fl o ck() function has been introduced in the
cpupl ug d code. Only one instance of cpupl ug d is now allowed to run at the same time.
B Z #7186 9 7
394
The cpupl ug d had previously not implemented sanity checks regarding minimum and
maximum values for valid C P U and memory intervals. If a configuration with incorrect
intervals was used, the daemon could not work properly, and CPU and memory could not
be used optimally. With this update, cpupl ug d now includes CPU and memory sanity
checks, ensuring its efficiency.
B Z #71819 8
D ue to a missing ferro r() test, the lsreip l utility returned an error message when it
attempted to read an empty sysfs file. With this update, the missing check has been added,
and lsreip l no longer returns error messages when attempting to read an empty file.
B Z #713817
The l i bzfcphbaapi library was missing some event thread cleanup code in the
HBA_FreeLi brary() function. Therefore, the z f cp _p in g tool could terminate
unexpectedly with a segmentation fault if no on-line adapter was discovered. The missing
event thread cleanup has been added in the code using the pthread _cancel and
pthread _jo i n functions. The z f cp _p in g tool no longer crashes under these
circumstances.
B Z #7119 9 8
The s390utils-iucvterm package uses the g rep command in its postinstall and postuninstall
scripts but it was not dependent on the grep package. Therefore, error messages were
displayed when installing s390utils-iucvterm. With this update, the grep package has been
added as a prerequisite for s390utils-iucvterm. No error messages now occur during the
package installation.
B Z #711775
When scanning for active Lo g i cal Uni t Numbers (LUNs) without the -a, --acti ve
option, the lslu n s utility filtered a scan for well known LUNs with value
0 xc10 10 0 0 0 0 0 0 0 0 0 0 0 and 0 x0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 , because the SCSI report luns
command is sent only to these LUNs. As a consequence, the l sl uns -a command did not
show all active LUNs but only active wel l kno wn LUNs. The lslu n s utility has been
modified to not filter LUNs when issued with the -a option, and it now shows all active
LUNs.
B Z #7054 04
The d asd in f o utility was missing a return code and the tool always returned exi t co d e
0 even if an error had occured. This update adds the missing return code and the
d asd in f o tool now returns correct return code values.
B Z #704 505
The s390utils-libzfcphbaapi package did not specify the correct location of the
l i bzfcphbaapi . so common library to the /etc/hba. co nf configuration file. Therefore,
s390utils-libzfcphbaapi failed to register with the /etc/hba. co nf configuration file. With this
update, the postinstall script adds the l i bzfcphbaapi
/usr/l i b6 4 /l i bzfcphbaapi -2. 1. so line to the /etc/hba. co nf configuration file
and thus registers the s390utils-libzfcphbaapi package.
B Z #7004 71
The z io mo n utility used the --o utput command line option in the code, although it was
referred to as the --o utfi l e option in the documentation. Using the --o utfi l e option
as suggested by documentation thus resulted in a z io mo n failure. With this update,
395
z io mo n has been modified to accept the --o utfi l e command line option as
documented.
B Z #7004 70
The z io mo n utility did not check whether a d ebug fs file system is mounted on the
/sys/kernel /d ebug / directory. Therefore, if the mount point was a different directory,
z io mo n failed. The missing test is now included in z io mo n , and it now works as expected:
continues if a file system is mounted on the /sys/kernel /d ebug / directory, or exits with
the zi o mo n: Erro r: D ebug fs no t mo unted o n /sys/kernel /d ebug . error
message if a file system is mounted on a different mount point.
B Z #729 9 81
To print parameters of the z ip l utility for d evi ce-mapper mul ti path devices, z ip l uses
the zi pl _hel per. d evi ce-mapper script, which parses output of other programs. If any
of these programs had l o cal e dependent output, the script was unable to parse the
output. Consequently, z ip l terminated with the following error:
Script could not determine target parameters
To avoid this problem, the zi pl _hel per. d evi ce-mapper script has been modified to
set up standard l o cal e for the current process and all child processes. The problem
described no longer occurs.
En h an cemen t s
B Z #700531
The latest versions of the Li nux 2. 6 sched ul er provide the same CPU optimization
functionality as the cpupl ug d daemon does, without the negative effects of cpupl ug d
operations. Therefore, the cpupl ug d daemon is now disabled on the system by default.
B Z #6 9 4 4 6 5
With this update, the cpuplugd daemon has been significantly improved:
A set of rules used by the cpupl ug d daemon has been improved, and cpuplugd now
provides more advanced control of the VM R eso urce Manag er (VMRM)
C o o perati ve Memo ry Manag ement (CMM) memory balloon.
The daemon now also provides a history function, which allows an access to previous
data.
Any data from the /pro c/vmstat and /pro c/memi nfo files can now be used in
cpupl ug d rules and user-defined variables.
A new cpustat. to tal _ti cks variable has been introduced, which simplifies userdefined CPU percentage calculations.
The process of timestamp generation has been simplified, and a bug with wrong
timestamps and intervals due to incorrect counts with microseconds, has been fixed.
Previously, the daemon did not re-allocate and re-initialize the history data on a
SIG HUP signal receipt. This could cause the daemon to terminate unexpectedly with a
segmentation fault if the maximum history level increased. The history data is now reallocated and re-initialized when the daemon is reloaded and maximum history level
has changed.
396
The daemon used a specified update interval instead of the actual time to determine the
duration of the sl eep() function and for swap rate calculation. This could lead to
incorrect data under certain circumstances. The cpupl ug d daemon now uses the
actual time in its calculations.
B Z #6 32327
The ch reip l tool has been improved and now includes the following modifications:
Support for re-IP L from multipath devices has been added.
Support for re-IP L from Named Saved System (NSS) has been added.
Additional kernel parameters now can be specified for the next re-IP L.
Support for auto targ et" has been added. For the ccw, fcp, and node targets,
ch reip l can automatically find the correct re-IP L target.
All users of s390utils are advised to upgrade to these updated packages, which fix these bugs and
4 .278. sabayon
4 .278.1. RHBA-2011:1273 — sabayon bug fix updat e
Updated sabayon packages that fix two bugs are now available for Red Hat Enterprise Linux 6.
Sabayon is a tool to help system administrators and users change and maintain the default behavior
of the GNOME desktop. These packages contain the graphical tools which a system administrator
uses to manage Sabayon profiles.
Bug Fixe s
B Z #6 74 012
Previously, when a user configured a custom panel launcher in the profile, Sabayon
terminated unexpectedly while getting details of the profile. With this update, a priority level
has been set up for sorting in the D etails view so that Sabayon no longer crashes while
getting the profile details.
B Z #6 54 56 7
Previously, when a user created a file or folder on the desktop that contained an
apostrophe (" '" ) in the name, Sabayon terminated unexpectedly when saving the profile.
With this update, any apostrophe characters in the name are now escaped so that
Sabayon no longer crashes and properly saves the profile.
All sabayon users are advised to upgrade to these updated packages, which fix these bugs.
4 .279. samba
4 .279.1. RHSA-2012:04 65 — Crit ical: samba securit y updat e
Updated samba packages that fix one security issue are now available for Red Hat Enterprise Linux
5 and 6; Red Hat Enterprise Linux 5.3 Long Life; and Red Hat Enterprise Linux 5.6, 6.0 and 6.1
397
Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet
File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other
information.
Secu rit y Fix
C VE- 2012- 1182
A flaw in the Samba suite's Perl-based D CE/RPC ID L (PID L) compiler, used to generate
code to handle RPC calls, resulted in multiple buffer overflows in Samba. A remote,
unauthenticated attacker could send a specially-crafted RPC request that would cause the
Samba daemon (smbd) to crash or, possibly, execute arbitrary code with the privileges of
the root user.
Users of Samba are advised to upgrade to these updated packages, which contain a backported
patch to resolve this issue. After installing this update, the smb service will be restarted automatically.
4 .279.2. RHSA-2012:0533 — Import ant : samba and samba3x securit y updat e
Updated samba3x and samba packages that fix one security issue are now available for Red Hat
Enterprise Linux 5 and 6 respectively.
Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet
File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other
information.
Secu rit y Fix
C VE- 2012- 2111
A flaw was found in the way Samba handled certain Local Security Authority (LSA) Remote
Procedure Calls (RPC). An authenticated user could use this flaw to issue an RPC call that
would modify the privileges database on the Samba server, allowing them to steal the
ownership of files and directories that are being shared by the Samba server, and create,
delete, and modify user accounts, as well as other Samba server administration tasks.
Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges
Ivano Cristofolini as the original reporter.
Users of Samba are advised to upgrade to these updated packages, which contain a backported
patch to resolve this issue. After installing this update, the smb service will be restarted automatically.
4 .279.3. RHBA-2011:1519 — samba bug fix updat e
Updated samba packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.
Samb a is the suite of programs by which a lot of PC-related machines share files, printers, and other
information (such as lists of available files and printers).
B Z #713570
398
Previously, Samb a did not correctly create user principal names for trusted domain users.
As a result, joining Samb a to a Windows domain using an account from a trusted domain
did not work. With this update, composing the user principal name for Kerberos
authentication has been fixed so that the bug no longer occurs.
B Z #709 6 17
Previously, printers controlled by the Common Unix Printing System (CUPS) and shared by
a Samb a server did not display the information on " location" , which was controlled by the
CUPS server, on Windows clients. With this update, the bug has been fixed so that the
information on " location" is now correctly displayed on Windows clients.
B Z #719 355
Previously, Samb a did not correctly support clients with plain text passwords. As a result,
Windows clients were unable to connect to Samb a with plain text passwords. With this
update, Samb a support for plain text passwords has been fixed.
B Z #70339 3
Previously, when a paper format on a Samb a shared printer was selected from a Windows
client, this selection was not saved properly on the Samb a server. As a result, changing
printer properties had no effect. With this update, the bug has been fixed so that the printer
properties are now saved, as expected.
B Z #725281
Previously, in certain environments with many users, the pam_wi nbi nd module stopped
operating. As a result, there were failures encountered if users attempted to log in. With this
update, the bug has been fixed so that pam_wi nbi nd now works, as expected.
B Z #74 19 34
Previously, Win b in d did not recover from network connection failures after an
unsuccessful user authentication. As a result, Win b in d had to be restarted for users to be
able to retry the authentication process. With this update, the bug has been fixed so that
users are now able to retry the authentication process without restarting Win b in d .
B Z #709 070
Previously, there were performance problems with print servers that served a large number
of printers. As a result, clients had to wait a long time to be able to use printers shared on a
Samb a server. With this update, the performance problems with print servers have been
fixed.
B Z #74 0832
If Linux clients used the Common Internet File System (CIFS) client in the kernel to mount a
Samb a share, the force create mode parameter was not honored properly. As a result,
files created on a mounted Samb a share did not properly follow the umask parameter, and
files with undesired permissions were created. With this update, the bug has been fixed and
no longer occurs.
B Z #74 389 2
Previously, Win d o ws In t ern et Exp lo rer 9 running on Microsoft Windows 7 was unable
to download files onto a Samb a share. With this update, the bug has been fixed and no
longer occurs
B Z #709 6 4 1
399
Previously, Win b in d was not able to correctly retrieve user and group information from a
Windows server. As a result, Win b in d was unable to expose users and groups on the local
system. This bug has been fixed in this update.
B Z #705123
Previously, if Win b in d was used to provide MS-CHAPv2 authentication for FreeR ad iu s,
an invalid session key was used. As a result, users with MS-CHAPv2 authentication were
unable to authenticate. With this update, this bug has been fixed so that MS-CHAPv2
authentication for FreeR ad iu s now works as expected.
B Z #739 186
Previously, certain Samb a components logged a large number of unimportant internal
messages to the system log. This bug has been fixed in this update by increasing the log
level for the log messages.
B Z #737810
Previously, the net(8) man page did not document Kerberos authentication. This bug has
been fixed by adding the missing documentation to the man page.
B Z #6 9 3136
If a printer driver was installed on a Samb a server, there was a failure encountered on the
Windows client. As a result, driver settings were not properly initialized and the printer did
not work properly. With this update, the bug has been fixed so that the printer driver
installation now works as expected.
B Z #737808
Previously, the n et utility used for joining the Windows domains did not use the existing
Kerberos credential cache. As a result, users were unable to reuse their existing tickets to
join the Windows domains with Kerberos. With this update, the n et utility has been fixed so
that it now uses existing tickets from the default credential cache.
B Z #6 9 14 23
When registering the D omain Name System (D NS) names, certain Samb a utilities aborted
the D NS registration if Samb a tried to contact a disconnected D NS name server. With this
update, Samb a has been fixed so that it skips those D NS name servers that are not
available on the network.
B Z #6 526 09
Previously, the man pages for certain Samb a components did not document that if the
Windows Services for UNIX (SFU) are enabled, or if the standard RFC 2307 LD AP attributes
in the Active D irectory (AD ) are used, primary group membership is not calculated based on
the g i d Number LD AP attribute. Instead, Win b in d uses the pri maryG ro upID LD AP
attribute. As a result, setting the g i d Number attribute in AD has no effect for accounts if
Win b in d is used. With this update, the man pages have been updated accordingly to
reflect the aforementioned limitation.
B Z #74 8325
Previously, extracting files from a Z IP archive failed on the D istributed File System (D FS)
shares if the follow symlinks = yes parameter was not set. This bug has been fixed in
this update so that extracting files from the Z IP archive now works as expected.
All users of samba should upgrade to these updated packages, which fix these bugs.
4 00
4 .280. sblim-cmpi-base
4 .280.1. RHBA-2011:154 8 — sblim-cmpi-base bug fix updat e
An updated sblim-cmpi-base package that fixes several bugs is now available for Red Hat Enterprise
Linux 6.
The sblim-cmpi-base package provides Standards Based Linux Instrumentation for Manageability
(SBLIM) Common Manageability Programming Interface (CMPI) Base Providers for System-Related
Common Information Model (CIM) classes.
The sblim-cmpi-base package has been upgraded to upstream version 1.6.1, which provides a
number of bug fixes over the previous version. (BZ #694514)
All users of sblim-cmpi-base are advised to upgrade to this updated package, which fixes these
bugs.
4 .281. sblim-cmpi-fsvol
4 .281.1. RHBA-2011:154 9 — sblim-cmpi-fsvol bug fix and enhancement updat e
An updated sblim-cmpi-fsvol package that fixes several bugs and provides various enhancements is
The sblim-cmpi-fsvol package provides the filesystem and volume management instrumentation
allowing users to obtain information about mounted and unmounted file systems by use of CIMOM
technology and infrastructure.
The sblim-cmpi-fsvol package has been upgraded to upstream version 1.5.1, which includes the
Linux_CSProcessor class registration fix, and provides a number of other bug fixes and
Bug Fix
B Z #6 6 3833
CIMOM did not collect any information about ext4 file systems because the
Linux_Ext4FileSystem class was not defined. This class has been defined and information
about ext4 file systems is now collected properly.
All users of sblim-cmpi-fsvol are advised to upgrade to this updated sblim-cmpi-fsvol package, which
resolves these issues and adds these enhancements.
4 .282. sblim-cmpi-nfsv3
4 .282.1. RHEA-2011:1578 — sblim-cmpi-nfsv3 bug fix and enhancement updat e
An updated sblim-cmpi-nfsv3 package that fixes several bugs and adds various enhancements is
The sblim-cmpi-nfsv3 package provides SBLIM (Standards Based Linux Instrumentation for
Manageability) CMPI (Common Manageability Programming Interface) NFSv3 Providers for NFSv3
related CIM (Common Information Model) classes.
The sblim-cmpi-nfsv3 package has been upgraded to upstream version 1.1.1, which provides a
4 01
All users of sblim-cmpi-nfsv3 are advised to upgrade to this updated package, which fixes these
4 .283. sblim-gat her
4 .283.1. RHBA-2011:1593 — sblim-gat her bug fix updat e
Updated sblim-gather packages that fix several bugs are now available for Red Hat Enterprise Linux
6.
The sblim-gather package (Standards Based Linux Instrumentation for Manageability Performance
D ata Gatherer Base) contains agents and control programs for gathering and providing
performance data and CIM (Common Information Model) Providers.
The sblim-gather package has been upgraded to upstream version 2.2.3, which provides a number
of bug fixes over the previous version. (BZ #633991)
Bug Fixe s
B Z #71204 3
Previously, CIM Metrics providers specific to IBM System z were missing from the sblimgather package, preventing proper functionality of the package on that architecture. This
update ensures that the CIM Metrics providers are now properly included in the IBM System
z packages, with the result that full functionality is now provided.
B Z #713174
The sblim-gather-provider package is D SP1053 compliant and advertises this via the
Linux_MetricRegisteredProfile class under the root/interop namespace. Prior to this update,
the registration of this class and provider was missing from the package, preventing
communication with the class via CIM object managers. This bug has been fixed, and now
the appropriate provider for the Linux_MetricRegisteredProfile class is properly registered
under the root/interop namespace.
B Z #6 26 76 9
Previously, the sblim-gather init script was incorrectly placed in the /etc/init.d directory,
causing difficulties during installation of the package. With this update, the init script is
correctly placed in the /etc/rc.d/init.d directory, thus fixing this bug.
B Z #6 279 19
Previously, the sblim-gather init script exit status codes were incorrect in two scenarios:
when restarting a service as a non-privileged user and when passing an invalid argument.
This bug has been fixed, and all exit status codes of the sblim-gather init script are now
correct.
All users of sblim-gather are advised to upgrade to these updated packages, which fix these bugs.
4 .284 . sblim-sfcb
4 .284 .1. RHBA-2011:154 7 — sblim-sfcb bug fix updat e
4 02
An updated sblim-sfcb package that fixes multiple bugs is now available for Red Hat Enterprise Linux
6.
Small Footprint CIM Broker (sblim-sfcb) is a Common Information Model (CIM) server conforming to
the CIM Operations over the HTTP protocol. The SFCB CIM server is robust and resource-efficient,
and is therefore particularly-suited for embedded and resource-constrained environments. The sblimsfcb package supports providers written against the Common Manageability Programming Interface
(CMPI).
The sblim-sfcb package has been upgraded to upstream version 1.3.11, which provides a number of
Bug Fixe s
B Z #6 18080
When using the sfcbrepos command without the " -c" option to specify the location of the
CIM schema, an error message occurred. The issue was caused by using the default CIM
schema location (the /usr/lib/sfcb/CIM/ directory), which does not exist on Red Hat
Enterprise Linux systems. This issue has been fixed and sfcbrepos now reflects the correct
CIM schema location (the /usr/share/mof/cim-current/ directory).
B Z #6 18081
The sfcb system group, which is used by PAM for basic authentication, was not created
automatically during package installation. This issue has been fixed and the group is now
created correctly.
B Z #6 20303
The sblim-sfcb package was compiled without the Unix domain socket local connection
functionality. This issue has been fixed and this feature is now enabled in the SFCB CIM
server.
B Z #74 526 1
D ue to missing checks on pointer validity when freeing memory in certain parts of the code,
the SBLIM Web-Based Enterprise Management (WBEM) Command Line Interface (sblimwbemcli) terminated unexpectedly with a segmentation fault upon successful completion of
a CIM request. With this update, the missing checks have been added, pointers are now
tested for NULL before an attemp to free the memory and set to NULL explicitly after the
memory is freed. Segmentation faults no longer occur and sblim-wbemcli no longer crashes
in the scenario described.
All users of sblim-sfcb are advised to upgrade to this updated package, which fixes these bugs.
4 .285. sblim-sfcc
4 .285.1. RHBA-2011:1583 — sblim-sfcc bug fix updat e
An updated sblim-sfcc package that fixes various bugs is now available for Red Hat Enterprise Linux
6.
The small footprint CIM client library (sblim-sfcc) is a C API allowing client applications to interface
with CIM (Common Information Model) implementations (e.g. CIM servers). D ue to its small memory
and disk footprint it is well-suited for embedded environments.
4 03
The sblim-sfcc package has been upgraded to upstream version 2.2.2, which provides a number of
All users of sblim-sfcc are advised to upgrade to this updated package, which fixes these bugs.
4 .286. sblim-smis-hba
4 .286.1. RHBA-2011:1270 — sblim-smis-hba bug fix updat e
An updated sblim-smis-hba package that fixes one bug is now available for Red Hat Enterprise Linux
6.
The sblim-smis-hba package provides SMI-S standards based HBA CMPI Providers for CIMOM
technology/infrastructure.
Bug Fix
B Z #6 204 22
Prior to this update, the sblim-smis-hba package's license field contained both the EPL and
SNIA licenses, although no code in the package is licensed under the SNIA license. This
bug has been fixed in this update by removing the SNIA license from the license field so that
the field now contains the correct information.
All users of sblim-smis-hba are advised to upgrade to this updated package, which fixes this bug.
4 .287. scsi-t arget -ut ils
4 .287.1. RHBA-2011:1762 — scsi-t arget -ut ils bug fix and enhancement updat e
An updated scsi-target-utils package that fixes two bugs and adds one enhancement is now
The scsi-target-utils package contains the daemon and tools used to set up iSCSI and The iSCSI
Extensions for RD MA (iSER) targets.
Bug Fixe s
B Z #712807
Prior to this update, scsi-target-utils could under certain circumstances terminate
unexpectedly with a segmentation fault when the tgt daemon was stopped. This update
modifies the source code so that scsi-target-utils no longer terminates with a segmentation
fault when tgtd is stopped.
B Z #736 74 0
Prior to this update, the SCSI target configuration tool (tgt-admin) allowed only an
insufficiently small number of targets to be updated. As a result, running tgt-admin with the
option update ALL failed with an error message that the target already existed. With this
update, tgt-admin has been modified so that it now successfully processes large numbers
of targets.
Enhance m e nt
4 04
B Z #6 79 04 6
This update increases the allowable lengths of scsi_sn and scsi_id to 36 characters to
allow the use of globally unique identifiers (GUID ) for these properties.
All users of scsi-target-utils are advised to upgrade to this updated package, which fixes these bugs
4 .288. seabios
4 .288.1. RHBA-2011:1680 — seabios bug fix updat e
An updated seabios package that fixes several bugs is now available for Red Hat Enterprise Linux 6.
The seabios package contains a legacy BIOS implementation which can be used as a coreboot
payload.
Bug Fixe s
B Z #727328
Previously, the smp_mtrr array was not large enough to hold all 31 entries of model-specific
registers (MSRs) with current qemu-kvm implementations. As a consequence, installation of
a Windows Server 2008 32-bit guest failed when more than one virtual CPU was allocated
in it. With this update, the size of the smp_mtrr array has been increased to 32 and now
Windows Server 2008 guests install successfully in the described scenario.
B Z #733028
On reboot, reinitialization of the USB HID (Human Interface D evice) devices was not done
before seabios was setting up timers. Consequently, when the " shutdown -r now" command
was executed in a guest, the guest became unresponsive, could not be rebooted, and the
" usb-kbd: warning: key event queue full" error message was returned. A patch has been
provided to address this issue and the guest now reboots properly in the described
scenario.
B Z #6 309 75
Previously, seabios only supported address space up to 40 bits per one address. As a
consequence, guests with 1 TB of RAM could not boot. A patch has been provided to
address this issue, which raises the memory space limit up to 48 bits, thus supporting up to
281 TB of virtual memory in a guest.
B Z #736 522
Previously, the S3/S4 power state capability was advertised in the D SD T (D ifferentiated
System D escription Table) tables. This could have caused various power management
issues. With this update, the S3/S4 capability has been removed from the D SD T tables,
thus fixing this bug.
B Z #75019 1
Previosly, Windows guests failed to generate memory dumps on NMIs (Non-Maskable
Interrupts), even if they were properly configured to. With this update, a NMI descriptor has
been added to seabios, and Windows guests now generate memory dumps on NMIs
correctly.
All users of seabios are advised to upgrade to this updated package, which fixes these bugs.
4 05
4 .289. sed
4 .289.1. RHBA-2011:1116 — sed bug fix updat e
An updated sed package that fixes two bugs is now available for Red Hat Enterprise Linux 6.
The sed package provides is a stream or batch (non-interactive) editor that takes text as input,
performs an operation or a set of operations on the text, and outputs the modified text.
Bug Fixe s
B Z #72134 9
Prior to this update, the is_selinux_disabled() function was not correctly checked. With this
update, this check returns the correct value and now the check works as expected.
B Z #6 79 9 21
Prior to this update, the behavior of the i/--in-place option for symlinks and hardlinks was
not clearly documented. With this update, the manpage and the user documentation has
been improved and this problem is resolved.
All sed users are advised to upgrade to this updated package, which fixes these bugs.
4 .290. seekwat cher
4 .290.1. RHBA-2011:1114 — seekwat cher bug fix updat e
An updated seekwatcher package that fixes one bug is now available for Red Hat Enterprise Linux 6.
The seekwatcher package generates graphs from blktrace runs to help visualize I/O patterns and
performance. It can plot multiple blktrace runs together, making it easy to compare the differences
between different benchmark runs.
Bug Fix
B Z #6 81703
Prior to this update, an obsolete " matplotlib" configuration directive in seekwatcher caused
seekwatcher to emit a spurious warning when executed. This bug has been fixed in this
update and no longer occurs.
All users of seekwatcher should upgrade to this updated package, which fixes this bug.
4 .291. selinux-policy
4 .291.1. RHBA-2011:1511 — selinux-policy bug fix and enhancement updat e
Updated selinux-policy packages that fix several bugs and add various enhancements are now
The selinux-policy packages contain the rules that govern how confined processes run on the system.
4 06
B u g Fixes
B Z #6 6 5176
Most of the major services in Red Hat Enterprise Linux 6 have a corresponding
service_selin u x(8) manual page. Previously, there was no manual page for the MySQ L
service (mysq l d ). This update corrects this error, and the selinux-policy packages now
provide the mysq l_selin u x(8) manual page as expected.
B Z #6 9 4 031
When the SELinux Multi-Level Security (MLS) policy was enabled, running the userd el -r
command caused Access Vector Cache (AVC) messages to be written to the audit log. With
this update, the relevant policy has been corrected so that u serd el no longer produces
these messages.
B Z #6 9 89 23
When SELinux was running in enforcing mode, an incorrect SELinux policy prevented the
kad min utility (a program for Kerberos V5 database administration) from setting process
priority. With this update, the SELinux policy has been corrected, and kad min now works
as expected.
B Z #701885
Previously, the output of the semanag e bo o l ean -l command contained errors. This
update fixes the descriptions of various SELinux Booleans to ensure the aforementioned
command now produces correct output without errors.
B Z #704 19 1
Prior to this update, the secad m SELinux user was not allowed to modify SELinux
configuration files. With this update, the relevant SELinux policy has been corrected and
the secad m SELinux user can now modify such configuration files as expected.
B Z #705277, B Z #7129 6 1, B Z #716 9 73
With SELinux enabled, the rsysl o g d service was previously unable to send messages
encrypted with the Transport Layer Security (TLS) protocol. This update corrects the
relevant SELinux policy, and rsysl o g d can now send such messages as expected.
B Z #7054 89
With SELinux enabled, configuring cluster fencing agents to use the SSH or Telnet protocol
caused these fencing agents to fail. This update contains updated SELinux rules and
introduces a new fenced _can_ssh Boolean, which allows the fencing agents to use these
protocols.
B Z #706 086
D ue to a constraint violation, when SELinux was running in enforcing mode, the xi netd
service was unable to connect to l o cal ho st and the operation failed. With this update,
xi netd is now trusted to write outbound packets regardless of the network's or node's
Multi-Level Security (MLS) range, which resolves this issue.
B Z #706 4 4 8
D ue to an incorrect SELinux policy, when the user added a NIS username to the
/etc/cg rul es. co nf configuration file, SELinux incorrectly prevented cg ro ups from
properly applying rules to NIS users. This update corrects this error by adding an
4 07
appropriate policy so that SELinux no longer prevents cg ro ups from applying rules to NIS
users.
B Z #7076 16
Previously, the SELinux Multi-Level Security (MLS) policy incorrectly prevented a MLS
machine form registering with Red Hat Network. This update corrects the SELinux policy so
that MLS machines can now be registered as expected.
B Z #710357
Prior to this update, various incorrect SELinux labels caused several Access Vector Cache
(AVC) messages to be written to the audit log. With this update, the SELinux labels that
triggered these AVC messages have been corrected so that such AVC messages no longer
appear in the log.
B Z #713218
D ue to incorrect SELinux policy rules, the K erb ero s 5 Ad min Server (kad mi nd ) was
unable to contact the LD AP server and failed to start. This update fixes the relevant policy
and kad mi nd now starts as expected.
B Z #714 6 20
With SELinux running in enforcing mode, the sssd service did not work properly and when
any user authenticated to the ssh d service using the Generic Security Services Application
Program Interface (GSSAPI), subsequent authentication attempts failed. This update adds
an appropriate security file context for the /var/cache/krb5cache/ directory, which
allows sssd to work correctly.
B Z #715038
Previously, various labels were incorrect and rules for creating new 389-ds instances were
missing. Consequent to this, when the user created a new 389 - d s instance using the 389 co n so le utility, several Access Vector Cache (AVC) messages appeared in the audit log.
With this update, the erroneous labels have been fixed and missing rules have been added
so that new 389 - d s instances are now created without these AVC messages.
B Z #71839 0
D ue to incorrect SELinux policies, the puppetmaster service was not allowed to get
attributes of the ch ag e utility and any attempt to do so caused Access Vector Cache (AVC)
messages to be written to the audit log. With this update, the SELinux policy rules have
been adapted to allow puppetmaster to perform this operation.
B Z #719 26 1
When SELinux was running in enforcing mode, it incorrectly prevented the Po st f ix mail
transfer agent from re-sending queued email messages. This update adds a new security
file context for the /var/spo o l /po stfi x/mai l d ro p/ directory to make sure Po st f ix is
now allowed to re-send queued email messages as expected.
B Z #719 9 29
The previous version of the h t t p d _selin u x(8) manual page was incomplete and did not
provide any information about the following Booleans:
httpd_enable_ftp_server
httpd_execmem
4 08
httpd_read_user_content
httpd_setrlimit
httpd_ssi_exec
httpd_tmp_exec
httpd_use_cifs
httpd_use_gpg
httpd_use_nfs
httpd_can_check_spam
httpd_can_network_connect_cobbler
httpd_can_network_connect_db
httpd_can_network_connect_memcache
httpd_can_network_relay
httpd_dbus_avahi
With this update, this error no longer occurs and the aforementioned manual page now
describes all available SELinux Booleans as expected.
B Z #722381
D ue to the /var/l i b/sq ueezebo xserver/ directory having an incorrect security
context, an attempt to start the sq ueezebo xserver service with SELinux running in
enforcing mode failed and Access Vector Cache (AVC) messages were written to the audit
log. With this update, the security context of this directory has been corrected so that
SELinux no longer prevents sq ueezebo xserver from starting.
B Z #7254 14
When a non-ro o t user (in the unco nfi ned _t domain) ran the ssh-keyg en utility and
the ~ /. ssh/ directory did not exist, the utility created this directory with an incorrect
security context. This update adapts the relevant SELinux policy to make sure ~ /. ssh/ is
now created with the correct context (the ssh_ho me_t type).
B Z #726 339
Prior to this update, SELinux prevented the ip utility from using the sys_mo d ul e
capabilities, which caused various Access Vector Cache (AVC) messages to be written to
the audit log. With this update, an appropriate d o ntaud i t rule has been added to make
sure such messages are no longer logged.
B Z #727130
When SELinux was running in enforcing mode, an incorrect policy prevented the g ru b b y
utility from searching D OS file systems such as FAT 32 or NT FS. This update corrects the
SELinux policy so that g ru b b y can now work as expected.
B Z #727150
4 09
With the o msnmp module enabled, the latest version of the rsyslo g daemon can send log
messages as SNMP traps. This update adapts the SELinux policy to support this new
functionality.
B Z #72729 0
Prior to this update, SELinux prevented the lld p ad daemon from using the sys_mo d ul e
capabilities, which caused various Access Vector Cache (AVC) messages to be written to
the audit log. With this update, an appropriate d o ntaud i t rule has been added to make
sure such messages are no longer logged.
B Z #72859 1
When SELinux was running in enforcing mode, rsyslo g clients were incorrectly denied
access to port 6 514 (the syslog over TLS port). This update adds a new SELinux policy
that allows rsyslo g clients to connect to this port.
B Z #7286 9 9
Prior to this update, SELinux incorrectly prevented the h d d t emp utility from listening on
l o cal ho st. This update corrects this error, and the selinux-policy packages now provide
updated SELinux rules that allow h d d t emp to listen on l o cal ho st as expected.
B Z #72879 0
When running in enforcing mode, SELinux incorrectly prevented the new f en ce_kd u mp
agent from binding to a port. This update adds appropriate SELinux rules to make sure this
agent can bind to a port as expected.
B Z #729 073
D ue to an incorrect SELinux policy, an attempt to use n ice to modify scheduling priority of
the o penvpn service failed, because SELinux prevented it. This update provides updated
SELinux rules and adds a sys_ni ce capability so that users are now allowed to modify
the scheduling priority as expected.
B Z #729 36 5
The al l o w_unco nfi ned _q emu_transi ti o n Boolean has been removed to make sure
that Q EMU is allowed to work together with the l i bg uestfs library.
B Z #730218
D ue to incorrect SELinux policy rules, the p ro cmail mail delivery agent was not allowed to
execute the ho stname command when HO ST _NAME= `ho stname` was specified in the
configuration file. This update adapts the SELinux policy to support the aforementioned
p ro cmail option.
B Z #7306 6 2
Prior to this update, launching a new virtual machine with a fi l ei nject custom property
caused Access Vector Cache (AVC) messages to be written to the audit log. With this
update, the relevant SELinux policy has been corrected to ensure this action no longer
produces such messages.
B Z #730837
4 10
When SELinux was running in enforcing mode, an attempt to run the p u p p et server that
was configured as a Passenger web application for scaling purposes failed. This update
provides adapted SELinux rules to allow this, and the p u p p et server configured as a
Passenger web application no longer fails to run.
B Z #730852
When the MAXC O NN option in the /etc/sysco nfi g /memcached configuration file was set
to a value greater than 10 24 , an attempt to start the memcached service caused Access
Vector Cache (AVC) messages to be written to the audit log. This update corrects the
relevant SELinux policy so that memcached no longer produces AVC messages in this
scenario.
B Z #73219 6
The g it _selin u x(8) manual page now provides all information necessary to make the G it
daemon work over the SSH protocol.
B Z #732757
When SELinux was running in enforcing mode, the Kerberos authentication for the C U PS
web interface did not work properly. With this update, the SELinux policy has been updated
to support this configuration.
B Z #733002
Most of the major services in Red Hat Enterprise Linux 6 have a corresponding
service_selin u x(8) manual page. Previously, there was no manual page for the Sq u id
caching proxy (sq ui d ). This update corrects this error, and the selinux-policy packages
now provide the sq u id _selin u x(8) manual page as expected.
B Z #733039
This update adds a new ab rt _selin u x(8) manual page, which explains how to configure
SELinux policy for the Au t o mat ic B u g R ep o rt in g T o o l (ABRT) service (abrtd ).
B Z #7334 9 4
When SELinux was running in enforcing mode, the amreco ver utility stopped responding
while recovering data from a virtual tape changer. With this update, appropriate SELinux
rules have been added so that amco ver no longer hangs in this situation.
B Z #73386 9
Prior to this update, the q mail- in ject , q mail- q u eu e, and sen d mail programs were not
allowed to search and write into the /var/q mai l /q ueue/ directory. With this update, this
error has been fixed and the updated SELinux rules now allow these operations.
B Z #739 6 18
Previously, SELinux incorrectly prevented the C h ro miu m and G o o g le C h ro me web
browsers from starting due to text file relocations. With this update, an appropriate SELinux
rule has been added so that SELinux no longer prevents these web browsers from starting.
B Z #739 6 28
D ue to an error in a SELinux policy, the output of the sei nfo -r command incorrectly
contained l sassd _t, which is not a role. This update corrects the relevant policy to make
sure the aforementioned command now produces correct output.
4 11